| Author |
Topic |
|
chuawenching
Starting Member
5 Posts |
 Posted - 2003-06-10 : 18:31:17
|
| Hello everyone.I had read many many articles on the Internet on the security wise of sql injection and how to avoid it.But as a developers, there seems too many ways to prevent. Do you mind to share your experience how sql injection affect your real time applications and how your actually solve it?Do you mind sharing?Other than SQL Injection, what other threats that affected databases? Yeah, SQL Slammer is one. Any idea?Thanks.Regards,Chua Wen Ching :p |
|
|
byrmol
Shed Building SQL Farmer
1591 Posts |
Posted - 2003-06-10 : 18:36:41
|
| Stored Procedures stop injection. The only possible way is if you are using dynamic sql in the proc.Don't use port 1433Change your SA password to something only a computer can remember. GUID! ;-)DavidM"SQL-3 is an abomination.." |
 |
|
|
benoityip
Starting Member
14 Posts |
Posted - 2003-06-11 : 02:40:14
|
| There is an article in MSDN about ASP.NET secuirty, in that over 600 pages document, the details of how to prevent Injection attack is outlied.Eg replace ' with '' in inserting string datausing stored pro... |
|
|
|
Merkin
Funky Drop Bear Fearing SQL Dude!
4970 Posts |
Posted - 2003-06-11 : 02:56:07
|
| Stored Procs are the best way. Also tighten up your DB login security.If you use stored procs, you can setup a login that ONLY has access to the stored procs. If they can't read or write any of the tables directly, even if they get past the web server your data is safe.Filtering apostrophes is a good step, but doesn't make you safe in itself.Consider this bit of ASP code :Dim sqlsql = "Select ArticleID, ArticleHeadline From Articles Where ArticleID = " & Request.QueryString("id")Set Results = Connection.Execute(sql)Now, if I put this on the querystring :0 UNION ALL Select UserID, UserName + Password FROM Users Where UserID=1What am I going to see on the ASP page ?Granted I would have to do a bit of guessing to get the table and column names, but security through obscurity is no excuse.There are also a few REALLY nasty things you could do in this case, but I'm not going to post them now.Moral of the story, use stored procs. If you can't, then at least validate EVERY SINGLE BIT of user input data. If you are EXPECTING an Integer, make sure you have an integer before letting it anywhere near your database connection.Damian |
|
|
|
chuawenching
Starting Member
5 Posts |
Posted - 2003-06-11 : 21:20:35
|
| Thanks for the comments...can i use parameterized sql to avoid sql injection...do you have the exact link for MSDN about ASP.NET secuirty?I heard in Microsoft new .Net PetShop 3.0, stored procedures is not used anymore? There must be a reason behind right? Maybe not secure or etc.Any comments?Other than sql injection and sql slammer, what other possible ways of sql server 2000 threats???Thanks.Regards,Chua Wen Ching :p |
|
|
|
Merkin
Funky Drop Bear Fearing SQL Dude!
4970 Posts |
Posted - 2003-06-11 : 21:31:00
|
quote:
can i use parameterized sql to avoid sql injection...
I don't think so. From the looks of it, parameterized sql is really just doing string replaces. But you might want to test that.See my above point about validating ALL user input.quote:
I heard in Microsoft new .Net PetShop 3.0, stored procedures is not used anymore? There must be a reason behind right? Maybe not secure or etc.
A lot of sample applications are just that, feature samples. They are not necessarily "Best Practice".quote:
Other than sql injection and sql slammer, what other possible ways of sql server 2000 threats???
That is a HUGE topic. www.sqlsecurity.com is a good start. Any system is only as secure as it's weakest link, so you need to know about your server OS, web server, network, mail server and firewall etc etc to get even close to total security (which doesn't really exist).Damian |
|
|
|
benoityip
Starting Member
14 Posts |
Posted - 2003-06-12 : 06:00:57
|
| http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetch12.asp?frame=trueI consider this article as excellent on detailing injection and different ways of preventing it |
|
|
|
benoityip
Starting Member
14 Posts |
Posted - 2003-06-12 : 06:04:20
|
| The pet shop doesn't use store proc because the purpose of setting up pet shop is to convince ppl that .net is better than java because they use fewer lines of code. If u type sql instead of store pro, a lot more code is typed...There is nothing related with injection attack..pet shop is just set up to tell ppl to convert to .net from java. Kind of microsoft marketing strategy |
|
|
|
benoityip
Starting Member
14 Posts |
Posted - 2003-06-12 : 06:09:41
|
| for the slammer attackI think ppl open port other than port 80 for sql server to public. this is stupid..I will develop application that will use only port 80 when we are accessing from internet..I am doing pocket pc at the moment, I won't talk to my db directly from my pocket pc using odbc/oledb at the moment, coze they are not using port 80. |
|
|
|
Merkin
Funky Drop Bear Fearing SQL Dude!
4970 Posts |
Posted - 2003-06-12 : 06:13:05
|
| Why the hell would you open up port 80 to your database server ? THAT is stupid. Port 80 is HTTP.Changing from the default 1433 to something else close is a good idea though, if you have to have your SQL Server public at all.Damian |
|
|
|
Merkin
Funky Drop Bear Fearing SQL Dude!
4970 Posts |
Posted - 2003-06-12 : 06:15:40
|
quote:
http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetch12.asp?frame=trueI consider this article as excellent on detailing injection and different ways of preventing it
I don't.It has basically two things to say. The first is that you use stored procs. OK, that is a good idea, and what David and I have been saying from the start.The second is filter apostrophes. It is an ok start, but I can do a few things that will still get past that.Damian |
|
|
|
benoityip
Starting Member
14 Posts |
Posted - 2003-06-12 : 10:47:49
|
| [quote]Why the hell would you open up port 80 to your database server ? THAT is stupid. Port 80 is HTTP.We use port 80 for SQL XML in Sql2k, thats why we open port 80 for db.Good to see that you are in sydney also!! |
|
|
|
chuawenching
Starting Member
5 Posts |
Posted - 2003-06-12 : 11:52:45
|
| Thanks...wow that link is rated 8 out of 9...should be very resourceful..but other than sql injection and sql slammer.. what is the other possibilities threat to SQL Server 2000...I just want to know more about it.. might be useful to me in future!Thanks.Regards,Chua Wen Ching :p |
|
|
|
monkeybite
Posting Yak Master
152 Posts |
Posted - 2003-06-12 : 12:10:49
|
quote:
We use port 80 for SQL XML in Sql2k, thats why we open port 80 for db.
You can run sqlxml from any machine that hosts iis. it doesn't have to run on the database server.the only reasoning i can see for this is if a business or organization can't afford a separate web server, so one box plays two roles.~ monkey |
|
|
|
monkeybite
Posting Yak Master
152 Posts |
Posted - 2003-06-12 : 12:18:39
|
| by the way, we've actually used sql injection against an arrogant, brash, and rather ignorant fellow developer that declared to us that his personal website was "un-hackable". he also insisted on using access as his database. once we found where his dynamic sql was built in his code, it was a snap to start browsing the database, create phantom forum posts, change passwords, etc. this guy refuses to learn from his mistakes and won't admit shortcomings.~ monkey |
|
|
|
byrmol
Shed Building SQL Farmer
1591 Posts |
Posted - 2003-06-12 : 19:09:48
|
| I was tasked to do the same thing Monkeybite, about 12 months ago.With an awesome network engineer we got through the web servers, straight to the DB. When we discovered they where was using the sa account, did we have some fun! Dettached the DB, copied it across the wire, and then emailed it back to them with a very helpful message.. "Have you lost something?" The ensuing meetings where the funniest I have had....DavidM"SQL-3 is an abomination.." |
|
|
|
chuawenching
Starting Member
5 Posts |
Posted - 2003-06-12 : 23:35:42
|
| Yeah... sql injection is fun.. Thanks for the comments...But again, IS THERE OTHER SECURITY THREATS TO SQL SERVER 2000 OTHER THAN SQL INJECTION AND SQL SLAMMER?Does codered affects database? I know it affect web server!Regards,Chua Wen Ching :p |
|
|
|
Merkin
Funky Drop Bear Fearing SQL Dude!
4970 Posts |
Posted - 2003-06-12 : 23:53:09
|
Read the thread properly. Read the links. Subscribe to a security list like NTBugTraq and don't shout  Damian |
|
|
|
chuawenching
Starting Member
5 Posts |
Posted - 2003-06-15 : 21:13:07
|
| Anyway thanks a lot.Regards,Chua Wen Ching :p |
|
|
|
|
SQL Injection?