Securing SQL Server

Protecting Your Database from Attackers

  • Home
  • Other Books
  • Sample Code Downloads

180k+ websites attacked because of bad dev code

Author: mrdenny

There is another massive SQL Injection attack going around. This time hitting 180k ASP.NET websites.  The article which I referenced has a decent write up on the actual attack and it links to a post which has detailed information about the attack.  However the article on IT World gives some really poor advice on how to protect yourself from a SQL Injection attack.

There’s no easy way to fix the vulnerability of the database to this attack except to “harden” the database by applying all the patches and making all the security requirements consistent. Monitoring the database for unusual activity is important, too.

Patching SQL Server will NOT prevent SQL Injection attack, at all.  The SQL Server isn’t the attack vector for a SQL Injection attack, the web application is the attack vector.  By the time the SQL Injection attack gets to the SQL Server database (or any database) it’s too late.

SQL Injection is actually really easy to protect yourself from.  Simply stop using dynamically generated SQL  and instead start using parametrized queries (also called bound queries).  That’s it, that’s the big secret.  Yes I understand that writing your .NET code as parametrized queries is harder to write than just doing string concatenation and running the query, but getting your site attacked and putting malware on your customers computers because you didn’t want to do a little typing is just no excuse.

As this is a blog about my book “Securing SQL Server” here’s the sales pitch.  In the book I talk all about how to use parametrized queries.  It really isn’t that hard there is lots of sample code on how to do it.  You don’t need to use stored procedures to use parametrized queries.  You can do it with normal dynamic SQL as well, it works basically the same.

In case you didn’t get my point yet, parametrized queries are the ONLY WAY that you can 100% be sure that you are protecting yourself from SQL Injection attacks.  If you can’t find some links on how to use parametrized queries here are a few links for you PHP, .NET, and more .NET.

Denny

Tags: Securing SQL Server, SQL Injection

This entry was posted on Monday, October 24th, 2011 at 2:36 pm and is filed under Securing SQL Server. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

  • Categories

    • (author unknown) (1)
    • Amazon (7)
      • Kindle (4)
    • Karen Lopez (2)
    • Microsoft (3)
    • Securing SQL Server (15)
      • Review Link (1)
    • Soulskill (2)
    • Unknown Lamer (1)

  • Second Edition Now Available

  • Code Downloads

    Code downloads are available for the Second Edition of the book from this page.

  • Tags

    (author unknown) 978-1597499477 1597499471 AlwaysOn Security Amazon Auto Blogged Barracuda Book Review Clustering Security CNET Contained Databases Contained Logins Database Firewalls Data Security Dev Connections EXECUTE AS Free Chapter Friends I hate AT&T Jen McCown Karen Lopez Kindle Microsoft MidnightDBA MySql.com nstant File Initialization Review SAN Security Sean McCown Securing SQL Server Security SQL Server 2nd Edition SHA2 Soulskill SQL Connections SQL Injection Tech Ed Unknown Lamer

  • Recent Posts

    • Health Data Breaches – Insider Data Trading?
    • NTLM 100% Broken Using Hashes Derived From Captures
    • Ruby On Rails SQL Injection Flaw Has Serious Real-Life Consequences
    • An Audible Data Privacy Breach
    • Are Your Protecting Your DB Backups?

  • Archives

    • January 2013
    • November 2012
    • August 2012
    • April 2012
    • October 2011
    • August 2011
    • July 2011
    • May 2011
    • April 2011
    • March 2011

Copyright © 2013 - Securing SQL Server | Entries (RSS) | Comments (RSS)

WordPress theme designed by web design