January 28, 2009 at 10:06 pm
I does not have any idea about SQL Injection?
What is it and why it should we use?
how can we use and when can use?
January 28, 2009 at 10:24 pm
You DON"T want to use SQL Injection. This is a method used to ATTACK your database. To learn more I'd start by Googling SQL Injection.
There also may be some articles or links here on SSC that you could read, so you might also trying Googling this site for more information.
January 30, 2009 at 5:59 am
There are articles all over the internet on this. It's easy to test and play with on a test server. Essentially you're vunerable to sql injection if you are using adhoc queries via applications which accept user typed input.
There are multi-tiered approaches to preventing an attack, or securing your data. You need to work with application developers and discuss with them ways to prevent the system from being vulnerable.
1. User input should be checked for valid data and not "comment" characters at the application side.
2. Try to avoid user "typed" input.
3. When possible use parameter based stored procedures, in lieu of adhoc queries.
Here's an MSDN article that goes into detail:
http://msdn.microsoft.com/en-us/library/ms161953.aspx
steve
January 30, 2009 at 6:53 am
I will add couple of more steps to prevent...
1. Make Sure all DB access are through Stored procs. Then you do not have to give any rights on the table itself to the Application User.
2. Try not to use Dynamic SQL. It is quite dangerous if you do not know what you are doing. You have to be very very careful when using Dynamic SQL.
3. Try to use Windows Authentication for your Application user with a very basic rights.
-Roy
January 30, 2009 at 8:01 am
January 30, 2009 at 8:40 am
I would recommend any applications being developed that access/update a SQL database be designed using connections with parameters for inserting search criteria. Some applications are developed using command text that consists of only a string. The string value given to the command text allows for the insertion of a variable value obtain from user input to the application. When this occurs, assuming value validation is not being accomplished, a user can add extra characters to the value to trick the server into returning more data than desired. For example adding a variation of " OR 1=1" to a variable being inserted into a part of the command text for a server connection, then all the rows from the table would be returned.
Hope this helps.
February 2, 2009 at 7:28 am
A good reference for how bad this stuff can be is Niel Carpenter's blog. He is a member of the Security response team at MS and has a few really good posts detailing specific attack signatures:
http://blogs.technet.com/neilcar/archive/tags/SQL/default.aspx
Jonathan Kehayias | Principal Consultant | MCM: SQL Server 2008
My Blog | Twitter | MVP Profile
Training | Consulting | Become a SQLskills Insider
Troubleshooting SQL Server: A Guide for Accidental DBAs[/url]
February 3, 2009 at 7:27 am
Was someones account hijacked to ask this question.
DBA, Veteran ???
February 3, 2009 at 7:56 am
NotManyPoints (2/3/2009)
Was someones account hijacked to ask this question.
I doubt it.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
February 3, 2009 at 8:09 am
NotManyPoints (2/3/2009)
Was someones account hijacked to ask this question.DBA, Veteran ???
DBA is his avatar,veteran is because he has over 300 posts. That level is not garanteed to reflect skill levels.
There's no harm in trying to upgrade the skills either.
February 3, 2009 at 8:41 am
I know what the things mean and DBA is more than the avatar it is stated as occupation.
It was a quizzical comment on the information about a person possibly not reflecting true knowledge.
Who can you trust if you can't trust an online persona with an avatar and number of points... (Sarcasm, lowest form of wit, I know….)
Would they be upgrading their 'site' level or their actual 'skill' in asking this question.
As it should suggest if you have 'used' this site and generated over 300 posts, some 'skill' must have sunk in.
Fully expect to get blasted for this, but just getting those posts up… :Whistling:
February 3, 2009 at 8:49 am
NotManyPoints (2/3/2009)
As it should suggest if you have 'used' this site and generated over 300 posts, some 'skill' must have sunk in.
Not necessarily. There's a person on another SQL forum that I frequent that has over 1000 posts, but still asks beginner-level questions.
Points != skill level, just forum activity. I assure you, a good portion of mine are from chit-chat type posts.
Judge advice and answers based on the content and (if you want to do research) the other answers that the person has given, not just on the number of points.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
February 3, 2009 at 8:49 am
NotManyPoints (2/3/2009)
I know what the things mean and DBA is more than the avatar it is stated as occupation.It was a quizzical comment on the information about a person possibly not reflecting true knowledge.
Who can you trust if you can't trust an online persona with an avatar and number of points... (Sarcasm, lowest form of wit, I know….)
Would they be upgrading their 'site' level or their actual 'skill' in asking this question.
As it should suggest if you have 'used' this site and generated over 300 posts, some 'skill' must have sunk in.
Fully expect to get blasted for this, but just getting those posts up… :Whistling:
There is actually a thread about some of the posted questions. Some of your comments might be better posted there but again, it might be better to keep them non personal. Not trying to be harsh but there are many that come to this site to learn and the last thing that I desire, and most likely many others, is to scare them away. May be the only place they can come. Know what I mean. 😉
http://www.sqlservercentral.com/Forums/Topic604325-61-23.aspx#bm648435
David
@SQLTentmaker“He is no fool who gives what he cannot keep to gain that which he cannot lose” - Jim Elliot
February 3, 2009 at 9:00 am
GilaMonster (2/3/2009)
NotManyPoints (2/3/2009)
As it should suggest if you have 'used' this site and generated over 300 posts, some 'skill' must have sunk in.Not necessarily. There's a person on another SQL forum that I frequent that has over 1000 posts, but still asks beginner-level questions.
Points != skill level, just forum activity. I assure you, a good portion of mine are from chit-chat type posts.
Judge advice and answers based on the content and (if you want to do research) the other answers that the person has given, not just on the number of points.
+1 I couldn't stress what Gail says here enough. There are people on the other forums that I goof off in that have tons of posts and points, but answer 1 in maybe 10-12 times that they post. I try and keep about a 50-50 post to answer ratio in what I do in technical forums. Sometimes it just takes 10 posts to get to the bottom of a thread and provide an answer to the issue, but most times you can hit a home run if you are technically proficient with a single post or two.
Number of posts/points in any forum is not a measure of technical knowledge. Unfortunately for people on the outside looking in to the forums, that is usually the way that they gauge things, and it can be very wrong to do so.
Another thing to note is that what might seem 100 level to you may not be for someone else. I got flamed a few months back for asking a basic FullText Index question on another forum, because I am a Moderator/MVP. It's not something I had ever worked with before, and in a pinch I needed some help and couldn't spend a few hours trying to find out enough to figure it all out. There are plenty of decent DBA/Developers out there that don't know about SQL Injection. Just look at the number of major sites that have been hit by it.
Jonathan Kehayias | Principal Consultant | MCM: SQL Server 2008
My Blog | Twitter | MVP Profile
Training | Consulting | Become a SQLskills Insider
Troubleshooting SQL Server: A Guide for Accidental DBAs[/url]
February 3, 2009 at 9:09 am
Jonathan Kehayias (2/3/2009)
Another thing to note is that what might seem 100 level to you may not be for someone else. I got flamed a few months back for asking a basic FullText Index question on another forum, because I am a Moderator/MVP.
What? That's insane. Remind me to stay away from those forums.
I posted a couple Oracle - SQL replication questions here a few months because I'd run into issues on the Oracle side, and I know nothing about Oracle.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
Viewing 15 posts - 1 through 15 (of 121 total)
You must be logged in to reply to this topic. Login to reply