locked
SQL Injection RRS feed

Answers

    • Marked as answer by Kalman Toth Monday, September 5, 2011 7:35 AM
    Saturday, August 27, 2011 7:01 AM
  • The author Itzik Ben-Gan mention in his book <<Inside SQL Server 2008: T-SQL Programming>>:

     

    "One of the greatest security risks and causes of great damage to computerized systems is a hacking technique called SQL injection. By using SQL injection, hackers inject their own malicious code into statements you execute dynamically on your SQL Servers, often from accounts with elevated privileges. An attacker can launch a SQL injection attack when you construct code by concatenating strings"

     

    The author Erland Sommarskog gives an explanation on this subject in depth,:

    http://www.sommarskog.se/dynamic_sql.html#SQL_injection

     

    "Talent is a tough discipline and a long patience"  Gustave Flaubert

    Email: info@geohernandez.com Blog: geeks.ms/blogs/ghernandez

     


    • Marked as answer by Kalman Toth Monday, September 5, 2011 7:34 AM
    Saturday, August 27, 2011 7:12 AM
  • SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker.

     

    Source: http://msdn.microsoft.com/en-us/library/ms161953.aspx

     

    Pls mark as answer, if this helps.


    - Kerobin
    • Marked as answer by Kalman Toth Monday, September 5, 2011 7:34 AM
    Saturday, August 27, 2011 9:48 AM
  • SQL Injection is a hacker technique where an intruder makes use of that you build SQL Strings by concatenating input values:

    cmd.CommandText = "SELECT col1 FROM tbl WHERE col2 = '" + inputval + "'";

    A malicious user can here enter an input like:

    '; SHUTDOWN WITH NOWAIT --

    And take down your server if the connection is running with sufficient permissions.

    The correct way to avoid SQL injection is to use parameterised statements.


    Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se
    • Marked as answer by Kalman Toth Monday, September 5, 2011 7:34 AM
    Saturday, August 27, 2011 10:02 AM
    • Marked as answer by Kalman Toth Monday, September 5, 2011 7:34 AM
    Saturday, August 27, 2011 10:47 PM
  • There is a very long and interesting thread on ASP.NET forum

    http://forums.asp.net/t/777624.aspx/1/10


    For every expert, there is an equal and opposite expert. - Becker's Law


    My blog
    • Marked as answer by Kalman Toth Monday, September 5, 2011 7:33 AM
    Sunday, August 28, 2011 3:04 AM

All replies

    • Marked as answer by Kalman Toth Monday, September 5, 2011 7:35 AM
    Saturday, August 27, 2011 7:01 AM
  • The author Itzik Ben-Gan mention in his book <<Inside SQL Server 2008: T-SQL Programming>>:

     

    "One of the greatest security risks and causes of great damage to computerized systems is a hacking technique called SQL injection. By using SQL injection, hackers inject their own malicious code into statements you execute dynamically on your SQL Servers, often from accounts with elevated privileges. An attacker can launch a SQL injection attack when you construct code by concatenating strings"

     

    The author Erland Sommarskog gives an explanation on this subject in depth,:

    http://www.sommarskog.se/dynamic_sql.html#SQL_injection

     

    "Talent is a tough discipline and a long patience"  Gustave Flaubert

    Email: info@geohernandez.com Blog: geeks.ms/blogs/ghernandez

     


    • Marked as answer by Kalman Toth Monday, September 5, 2011 7:34 AM
    Saturday, August 27, 2011 7:12 AM
  • SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker.

     

    Source: http://msdn.microsoft.com/en-us/library/ms161953.aspx

     

    Pls mark as answer, if this helps.


    - Kerobin
    • Marked as answer by Kalman Toth Monday, September 5, 2011 7:34 AM
    Saturday, August 27, 2011 9:48 AM
  • SQL Injection is a hacker technique where an intruder makes use of that you build SQL Strings by concatenating input values:

    cmd.CommandText = "SELECT col1 FROM tbl WHERE col2 = '" + inputval + "'";

    A malicious user can here enter an input like:

    '; SHUTDOWN WITH NOWAIT --

    And take down your server if the connection is running with sufficient permissions.

    The correct way to avoid SQL injection is to use parameterised statements.


    Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se
    • Marked as answer by Kalman Toth Monday, September 5, 2011 7:34 AM
    Saturday, August 27, 2011 10:02 AM
    • Marked as answer by Kalman Toth Monday, September 5, 2011 7:34 AM
    Saturday, August 27, 2011 10:47 PM
  • There is a very long and interesting thread on ASP.NET forum

    http://forums.asp.net/t/777624.aspx/1/10


    For every expert, there is an equal and opposite expert. - Becker's Law


    My blog
    • Marked as answer by Kalman Toth Monday, September 5, 2011 7:33 AM
    Sunday, August 28, 2011 3:04 AM