Re: SQL Injection and DB user permissions

From: "Bob Barrows [MVP]" <reb01501@xxxxxxxxxxxxxxx>
Date: Thu, 7 Aug 2008 13:07:49 -0400

Randy wrote:

I have a .asp web application (using MSSLQ SRV).
I have actually taken it down after reading articles posted here and
elsewhere, since it contains quite a bit of 'dynamic sql' and I KNOW
that it' FULL of vulnerabilities to SQL Injection attach. I decided
not to wait around for this to happen and I'm working to 'harden' it.

So this is probably a stupid question and, no doubt, there is a
concept that I am not grasping.
But, since my site is purely informational, and, (by intention at
least) only allows the user to search and display the data, I would
THINK, that employing a database user in the connection string with
read-only permissions, would at least make it LESS susceptible to
this kind of attach.
Am I missing something here?

Nope. That is certainly a valid approach. The only potential problem
that would remain is if there is something to read in the database that
you don't want people to be able to read.

If users are not allowed to modify data, that certainly reduces your
potential for damage, and would definitely prevent the recent worm
attack from affecting your system.

Just be sure to explicitly grant SELECT permissions to only the database
object you want to have visible to users. Don't just put the user
account in db_datareader and think you're safe.

--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.

.

Follow-Ups:
- Re: SQL Injection and DB user permissions
  - From: Nime

References:
- SQL Injection and DB user permissions
  - From: Randy

Prev by Date: SQL Injection and DB user permissions
Next by Date: domain de eu com domain registration kostenlose internet domain domain preis vergleich domain wert kostenlos
Previous by thread: SQL Injection and DB user permissions
Next by thread: Re: SQL Injection and DB user permissions
Index(es):
- Date
- Thread

Relevant Pages

Re: Something wrong with my INSERT INTO
... error but the data is not getting recorded in the database. ... You use of dynamic sql is leaving you vulnerable to hackers using sql ... Personally, I prefer using stored procedures, or saved parameter queries as ... Please reply to the newsgroup. ...
(microsoft.public.scripting.vbscript)
Re: Searching Multiple Tables
... I am building a search page for our HR database. ... Then I have two simple tables which hold the Skills and Roles we use ... Your use of dynamic sql is leaving you vulnerable to hackers using sql ... Please reply to the newsgroup. ...
(microsoft.public.inetserver.asp.db)
Dynamic SQL in Stored Proc
... I have a database setup so that NO users have READ, ... Dynamic SQL and they have stopped working. ... error message when executing one of the stored procs. ...
(microsoft.public.sqlserver.security)
Re: SQL Injection Prevention
... I was pointing that you're not considering it in isolation but with the ... I think it's much more likely that an application developer would build the ... sql string from input that the database developer would do it in dynamic sql. ...
(microsoft.public.sqlserver.server)
Re: SQL Injection Prevention
... I was pointing that you're not considering it in isolation but with the ... I think it's much more likely that an application developer would build the ... sql string from input that the database developer would do it in dynamic sql. ...
(microsoft.public.dotnet.security)