Re: stop sql injection

From: Steve Kass (skass_at_drew.edu)
Date: 06/19/04

• Next message: Fred Nelson: "Find References to Deleted Field"
• Previous message: Dan Guzman: "Re: Cascading updates and NULL"
• In reply to: Aaron: "stop sql injection"
• Next in thread: Beeeeeves: "Re: stop sql injection"
• Messages sorted by: [ date ] [ thread ]

Date: Sat, 19 Jun 2004 15:20:53 -0400

If you need to do this, you are probably letting anonymous users write your
queries, or at least sections of them, and you are then trying to check to
see if they've written anything dangerous. Just searching for -- and ; may
eliminate naive injection attempts, but not ones where users express those
same things as binary literals, for example. (As far as I know, a semicolon
as a query terminator is ignored in SQL Server, by the way.)

If you write your own code and allow users to supply information only as
typed parameters to stored procedures, and if you take care *not* to defeat
the safety of parameterization by using string concatenation inside the
stored procedure to incorporate users' parameters into your query, you will
have greatly minimized and most likely eliminated the risk of injection.

Furthermore, use the principle of least privilege. A database connection
that has permission to select or insert rows into a table shouldn't have
permission to drop tables, delete rows, or insert rows into different
tables, for example. The risk of SQL injection is great when you allow
anonymous users access through a privileged database connection and let them
write code for you, which is what you do if you connect with administrative
privileges and concatenate users' text entries into a query you subsequently
run.

Steve Kass
Drew University

"Aaron" <kuya789@yahoo.com> wrote in message
news:uExBTKiVEHA.3512@TK2MSFTNGP12.phx.gbl...
> Is there a way to disable the use of -- and ; in a sql query? i think this
> would prevent sql injection attacks. I'm using sql server 2000
>
> Thanks,
> Aaron
>
>

• Next message: Fred Nelson: "Find References to Deleted Field"
• Previous message: Dan Guzman: "Re: Cascading updates and NULL"
• In reply to: Aaron: "stop sql injection"
• Next in thread: Beeeeeves: "Re: stop sql injection"
• Messages sorted by: [ date ] [ thread ]

Relevant Pages [REVS] More Advanced SQL Injection Paper Released ... Microsoft SQL Server/IIS/Active Server Pages environment, ... Advanced SQL Injection". ... conversations around the subject of SQL injection in a SQL Server ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ... (Securiteam) Re: Yet another SQL injection framework (file corruption) ... facilitating the exploitation of SQL Injection vulnerabilities. ... Blind SQL Injection. ... servers using MS SQL Server, MySQL, and PostgresSql DBMSs. ... (Bugtraq) Re: Yet another SQL injection framework (file corruption) ... facilitating the exploitation of SQL Injection vulnerabilities. ... Blind SQL Injection. ... servers using MS SQL Server, MySQL, and PostgresSql DBMSs. ... (Vuln-Dev) Re: Solving the issue ... Is this a SQL Server issue? ... If you're trying to prevent something like SQL Injection, ... rewrite code to trap injection. ... > can happen if they enter a single qoute in a parameter? ... (microsoft.public.sqlserver.security) Accessing SQL server using ASP .NET ... I have written a sample ASP .NET application to connect to a SQL Server box ... that uses Windows authentication (i guess it was installed by the server ... How can I make the application accessible by anonymous users? ... (microsoft.public.dotnet.framework.aspnet)

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint