SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Secure Programming


Secure Programming

Author
Message
Ian Brown-213389
Ian Brown-213389
SSC-Enthusiastic
SSC-Enthusiastic (123 reputation)SSC-Enthusiastic (123 reputation)SSC-Enthusiastic (123 reputation)SSC-Enthusiastic (123 reputation)SSC-Enthusiastic (123 reputation)SSC-Enthusiastic (123 reputation)SSC-Enthusiastic (123 reputation)SSC-Enthusiastic (123 reputation)

Group: General Forum Members
Points: 123 Visits: 715
Constants aren't and variables do...

There is no problem so great that it can not be solved by caffeine and chocolate.
DPhillips-731960
DPhillips-731960
Ten Centuries
Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)

Group: General Forum Members
Points: 1358 Visits: 801
Too many web developers I have met do not understand even half of the items in the top 25 list...

And if they don't get it, management certainly does not within those same organizations.
Charles Kincaid
Charles Kincaid
SSCrazy
SSCrazy (2.2K reputation)SSCrazy (2.2K reputation)SSCrazy (2.2K reputation)SSCrazy (2.2K reputation)SSCrazy (2.2K reputation)SSCrazy (2.2K reputation)SSCrazy (2.2K reputation)SSCrazy (2.2K reputation)

Group: General Forum Members
Points: 2161 Visits: 2384
Ian Brown (3/19/2009)
Constants aren't and variables do...


What language is it where
1 = 2


is supported?

ATBCharles Kincaid
David Reed-223505
David Reed-223505
Old Hand
Old Hand (368 reputation)Old Hand (368 reputation)Old Hand (368 reputation)Old Hand (368 reputation)Old Hand (368 reputation)Old Hand (368 reputation)Old Hand (368 reputation)Old Hand (368 reputation)

Group: General Forum Members
Points: 368 Visits: 380
Charles Kincaid (3/19/2009)
Ian Brown (3/19/2009)
Constants aren't and variables do...


What language is it where
1 = 2


is supported?



I've forgotten enough COBOL that I can't recall if it worked there, but I'm pretty sure that's true and easy to explain in Perl (for small values of easy).
RBarryYoung
RBarryYoung
SSCoach
SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)

Group: General Forum Members
Points: 19444 Visits: 9518
Charles Kincaid (3/19/2009)
Ian Brown (3/19/2009)
Constants aren't and variables do...


What language is it where
1 = 2


is supported?


The issue isn't whether it's supported in some language, the issue is whether it happens in that language.

-- RBarryYoung, (302)375-0451 blog: MovingSQL.com, Twitter: @RBarryYoung
Proactive Performance Solutions, Inc.
"Performance is our middle name."
kevin77
kevin77
SSCommitted
SSCommitted (1.9K reputation)SSCommitted (1.9K reputation)SSCommitted (1.9K reputation)SSCommitted (1.9K reputation)SSCommitted (1.9K reputation)SSCommitted (1.9K reputation)SSCommitted (1.9K reputation)SSCommitted (1.9K reputation)

Group: General Forum Members
Points: 1927 Visits: 1099
I like Charles's list as well and am kind of an extremist too. The solution to solving SQL Injection attacks is simply for every RDBMS system to flat out not allow inline SQL. Everything must be done with stored procedures and parameters.

I first heard about SQL Injection back in like 1997 or 1998. It amazes me how big of a topic it still is today and how many problems it still causes. Ridiculous!



GilaMonster
GilaMonster
SSC Guru
SSC Guru (117K reputation)SSC Guru (117K reputation)SSC Guru (117K reputation)SSC Guru (117K reputation)SSC Guru (117K reputation)SSC Guru (117K reputation)SSC Guru (117K reputation)SSC Guru (117K reputation)

Group: General Forum Members
Points: 117659 Visits: 45532
kevin77 (3/19/2009)
The solution to solving SQL Injection attacks is simply for every RDBMS system to flat out not allow inline SQL. Everything must be done with stored procedures and parameters.


Even that's not sufficient. I spent a good couple hours explaining to a fairly experienced web developer why this is vulnerable to injection, regardless of what the procedure does.

Pseudo C# code:

SqlCommand cmd = new SqlCommand();
cmd.CommandText = "Exec SomeProcedure @Param1 = '" + txtSomeValue.ToString() + "', @Param2 = '" + txtSomeOtherValue.ToString() + "';"
cmd.ExecuteNonReader();

And don't forget the nicely parameterised stored procedure that goes and builds up a SQL string with those parameters and EXECs it.

No inline SQL
All stored procedure calls must be properly parameterised
Any dynamic SQL within said procedures must be properly parameterised and must not include values from the front end or from the database.

Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass


Naked Ape
Naked Ape
SSC-Enthusiastic
SSC-Enthusiastic (160 reputation)SSC-Enthusiastic (160 reputation)SSC-Enthusiastic (160 reputation)SSC-Enthusiastic (160 reputation)SSC-Enthusiastic (160 reputation)SSC-Enthusiastic (160 reputation)SSC-Enthusiastic (160 reputation)SSC-Enthusiastic (160 reputation)

Group: General Forum Members
Points: 160 Visits: 705
Seems like Charles' list touches a chord.

I too am surprised at how common SQL injection vulnerabilities (still) are. Having recently implemented an EDRMS system, our supplier provided a small addin to integrate with another system. I knew they would be taking values from a form to query a database and my first test was for SQL injection - I don't need to tell you it failed. They fixed it straight away, but these are supposedly professional developers, who do this sort of work for a living. Such tests should be part of any good QA regime and never make it off the factory floor.

Chris
RBarryYoung
RBarryYoung
SSCoach
SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)

Group: General Forum Members
Points: 19444 Visits: 9518
GilaMonster (3/19/2009)
kevin77 (3/19/2009)
The solution to solving SQL Injection attacks is simply for every RDBMS system to flat out not allow inline SQL. Everything must be done with stored procedures and parameters.


Even that's not sufficient. I spent a good couple hours explaining to a fairly experienced web developer why this is vulnerable to injection, regardless of what the procedure does.

Pseudo C# code:

SqlCommand cmd = new SqlCommand();
cmd.CommandText = "Exec SomeProcedure @Param1 = '" + txtSomeValue.ToString() + "', @Param2 = '" + txtSomeOtherValue.ToString() + "';"
cmd.ExecuteNonReader();

And don't forget the nicely parameterised stored procedure that goes and builds up a SQL string with those parameters and EXECs it.

No inline SQL
All stored procedure calls must be properly parameterised
Any dynamic SQL within said procedures must be properly parameterised and must not include values from the front end or from the database.

Right, Gail. One of the most often missed points in discussions about SQL Injection is that the injection can happen on the Client side as well as the server side.

-- RBarryYoung, (302)375-0451 blog: MovingSQL.com, Twitter: @RBarryYoung
Proactive Performance Solutions, Inc.
"Performance is our middle name."
Gift Peddie
Gift Peddie
SSCrazy Eights
SSCrazy Eights (8.6K reputation)SSCrazy Eights (8.6K reputation)SSCrazy Eights (8.6K reputation)SSCrazy Eights (8.6K reputation)SSCrazy Eights (8.6K reputation)SSCrazy Eights (8.6K reputation)SSCrazy Eights (8.6K reputation)SSCrazy Eights (8.6K reputation)

Group: General Forum Members
Points: 8620 Visits: 14456
I am late to this but Microsoft have improved the System.Security.Cryptography class with the implementation of the new Elliptic Curve Diffie-Hellman classes which are more secure than the previous version. This will improve application layer encryption so all that is needed is improved SQL Server based encryption.

The reason is these classes cannot be used for CLR assembly so there must be a solution for the persisted data in SQL Server.

http://blogs.msdn.com/shawnfa/archive/2007/01/22/elliptic-curve-diffie-hellman.aspx


Elliptic Curve is modular Taniyama-Shimura

Kind regards,
Gift Peddie
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search