November 7, 2007 at 10:30 pm
Is SQL Transactional Replication suspectible to SQL Injection attacks? I don't believe so but my Security Manager does. When can I find info to prove who's right or wrong?
November 9, 2007 at 5:15 am
Sounds like total nonsense to me.
Transactional replication reads from the transaction log. Of course SQL Injection is possible through your original application, then replication will apply any change to the subscribers, but that an issue of the frontend and not replication. To inject code through (default) procedures used by transactional replication seems not possible to me (but you never know). And even if there is some weakness in these procedures, users or applications shouldn't be allowed to use these procedures anyway. They are purely for applying the changes at the subscribers.
Markus
[font="Verdana"]Markus Bohse[/font]
December 2, 2007 at 1:04 pm
I don't think that there is anyway to slip data into the stream that would be susceptible to SQL Injection. I suppose it's theoretically possible to slip into the replication stream as a man-in-the-middle attack and send data in, but at that point I'd think you could do much more than SQL Injection.
I tend to agree with Markus that this isn't a valid concern.
Viewing 3 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply