Search sqlserver-dba.com
Follow sqlserver-dba.com
*Use the Comments section for questions
SQLServer-DBA.com Links
Recent Posts
- How to find privilege changes with SQL Server Default Trace
- sys.dm_server_services - How to check if SQL Server service is running or not?
- Msg 3023, Level 16, State 2 Backup, file manipulation operations (such as ALTER DATABASE ADD FILE) and encryption changes on a database must be serialized. Reissue the statement after the current backup or file manipulation operation is completed.
- Can we restore a database to an older version in SQL Server?
- How do I save all SQL Agent Jobs
- How to view SQL Server mount point space without access to server
- DBCC SHRINKFILE: page could not be moved because it is a work table page.
- SQL Agent Last Modified explanation
- Sql certificate chain was issued by an authority that is not trusted
- sqlserver-dba.com switching from feedburner to follow.it
SQL Injection Defence
02 January,2015 by Tom Collins
SQL injection attacks have received high publicity since the web explosion. In code reviews I see the same vulnerabilities appear on a regular basis. Developers take note.
The SQL injection attack always uses the same method. There are different approaches , but the method remains the same. i.e the data starts with (‘) , appends the Trojan SQL code and ends with the comment mark (--) . The effect of the (--) is to comment out the original SQL intended to be submitted.
It is a common belief amongst DBAs that SQL injection attacks are an application issue . In reality , the application and database need to be reviewed in unison.
The two main approaches in SQL Injection attacks are:
a) Implementing parameterized stored procedures with SQL code passed
b) SQL code concatenated via client interface and passed through the application
How to defend a SQL injection attack
1) Never use ‘sa’ or any login with sysadmin privileges. This is the highest privilege available within SQL Server and should only be assigned to the DBAs.
2) Strong typed parameters assist in defending against SQL Injection attacks
Read more on SQL sp_executesql versus EXECUTE
3) The IS_GRANTABLE flag is a default. And does allow permissions to be granted at any object level. Consideration should be given to creating a policy for the security risk . It is not uncommon for SQL Injections to occur via identifying the whether IS_GRANTABLE is set to YES or NO
Read more on : How to manage the IS_GRANTABLE security risk
Read more on Security and SQL Injection Attacks
How to create a SQL Server Security Audit - SQL Server DBA
Powershell - run script on all sql servers - SQL Server DBA
SQL Server - Powershell and Failed Logon attempts - SQL Server DBA
Author: Tom Collins (http://www.sqlserver-dba.com)
Share:
Verify your Comment
Previewing your Comment
This is only a preview. Your comment has not yet been posted.
As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.
Having trouble reading this image? View an alternate.
Posted by: |