Protection Against SQL Server Injection Attacks

Here is an interesting topic, if your a web developer and use SQL Database software in your applications, how much thought do you give to ensure your application is safe from a SQL Injection Attack?

SQL Injection Attacks are when a end-user attempts to run malicious SQL statements on your applications database to programmatically alter it’s behaviour extend it’s functionality to their own gain, or possibly extract or remove data completely from the back-end. Not something I would think any developer wants to have happen intentionally?

These attacks can happen on the most “patched” or “up-to-date” servers around, the attacker is not finding a hole in the back-end software; in-fact they are breaking your front-end, most common SQL Server Injection attacks occur from an applications front-end public interface. Yes your code!

Think about this simple concept; say I have a search box which looks up a table in a database for products, I have used a basic POSTBACK event to reload my script to pass the contents of the search box to a simple SQL Query on my table that contains the products to be searched. Something like this:

SELECT * FROM tbl_Products WHERE Product_Name = ‘ + InputBox.Text ;

What if one of the Users of my application enters:  ‘DELETE * FROM tbl_Products’ ; into my search box?

You can see this type of input could cause real havoc in your application, again it will vary on the type of SQL Back-end you use and the server-side language engine (ASP.NET, PHP, C#) etc. But with the example above, if it were an ASP.NET application with a MS SQL back-end, seeing’s how MS SQL Server will allow multiple statements be executed in the one query your application is at serious risk of an Injection Attack. All it takes is your script to pass the attackers commands to your query function and then given the level of access the script has to perform operations in the database, they have taken control.

This Article will show you some helpful ways to better protect your application from attack, some of the concepts can apply to languages and SQL server software other than MS technologies so have a read for some ideas:

http://msdn2.microsoft.com/en-us/library/ms998271.aspx

Published: 29/04/2008 12:10 AM
Rating 3.00 out of 5
%d bloggers like this: