locked
sql 2008 server injection attacks -add data RRS feed

  • Question

  • I have read various articles about sql server using paramariterized queries and stored procedures

    I have various book programming asp.net 2.0 jesse liberty

     programming asp.net 2.0 jesse liberty, pro asp.net 2.0   scott hanselman

    distributed data applications alex homer using xslt and stored procedures

    parameritized queries.

    My question was this I tried to create a database and table using a wizard in

    sql 2005 and I got stung with an injection attack (of course I unistalled sql 2005)

    My question is two fold Is it better to create a table by hand in asp.net by using

    paramaterized queries? How about adding and deleting data?

    I want to do sql reports. I have read various articles? Does T sql help with this  

    I do know stored procedures play a part in this.......

    What is the best way to prepare for sql 2008 security? Thanks              

     

    Saturday, September 6, 2008 10:48 PM

Answers

  •    I am not sure what is the Wizard that you used, but if you were using any SQL Server Management Studio Wizard, please let us know and I will report it, but I would also recommend reporting it directly at Microsoft Connect.

     

      Unfortunately parameterization is not possible in DDL (i.e. CREATE TABLE), and you would need to rely on regular dynamic SQL, the recommendation in this case is to make sure to follow these recommendations:

    * Validate input: Constrain input, accepting only well-formed data as input

    * Escape data using string replace or using T-SQL quotename builtin

    * Use type-safe parameters

    * Follow the least privilege principle

    * Avoid disclosing database error information

     

      The following links should be good aids in securing SQL Server:

    * Security and Protection (Database Engine): http://msdn.microsoft.com/en-us/library/bb510589.aspx

    * Protect from SQL injection in ASP .Net: http://msdn.microsoft.com/en-us/library/ms998271.aspx

    * SQL Injection: http://msdn.microsoft.com/en-us/library/ms161953.aspx

    * SQL Server Security blog: http://blogs.msdn.com/sqlsecurity

    * Laurentiu Cristofor's blog: http://blogs.msdn.com/lcris

    * Raul Garcia's blog (archived articles): http://blogs.msdn.com/raulga

     

      I hope this information helps. Please let us know if you have any additional questions or feedback.

     

      Thanks,

    -Raul Garcia

      SDE/T

      SQL Server Engine

    Monday, September 8, 2008 6:44 PM