Ms Sql Database was injection

Question

Hi All

MS SQL  database was injection , Even after  restricting the MS SQL RDP for static IP  and restricting in network fire also( But my network fire wall is a shared firewall).

I have gone  through "eventvwr" logs some unknown iP'S are hitting the server. Please help how to protect from sql injection its occurs very repeatedly on my database.

Answer 1

Hello Kiran,

SQL Injection is done by database access, not via RDP, and it's mostly caused by bad programming, see http://en.wikipedia.org/wiki/Sql_injection

So you have to check first your application for SQL injection points

---

Olaf Helper

Blog Xing

Answer 2

Hi 

We are providing only database security,Any how we will inform to application vendors. Could you please share Microsoft articles for the same.

Thank you...

Answer 3

Hallo Kiran,

with deepest respect - are you not able to use a search engine for "SQL Server SQL Injection"?

Very first hit: http://msdn.microsoft.com/en-us/library/ms161953(v=sql.105).aspx

Another issue is - for me - that I don't really understand what the problem is.
Olaf has mentioned that sql injection is a database isse and has NOTHING to do with infrastructure or RDP or anything else.

A really pretty fine article concerning sql injection can be found here:

http://www.sommarskog.se/dynamic_sql.html

You should read this article first because it explains in detail what sql injection is, how it works and how to avoid it.

---

Uwe Ricken

MCSE - SQL Server 2012
MCSA - SQL Server 2012
MCITP Database Administrator 2005
MCITP Database Administrator 2008
MCITP Microsoft SQL Server 2008, Database Development

db Berater GmbH
http://www-db-berater.de
SQL Server Blog (german only)

Answer 4

Hi Uwe Ricken

Thanks for sharing the articles.