Monday, January 31, 2005

SQL Injection Attacks and Some Tips on How to Prevent Them


Security in software applications is an ever more important topic. In this article I discuss various aspects of SQL Injection attacks, what to look for in your code, and how to secure it against SQL Injection attacks. Although the technologies used here are SQL Server 2000 and the .NET Framework the general ideas presented apply to any modern data driven application framework, which makes attacks potentially possible on any types of application that depends on that framework.

What is a SQL Injection Attack?

A SQL Injection attack is a form of attack that comes from user input that has not been checked to see that it is valid. The objective is to fool the database system into running malicious code that will reveal sensitive information or otherwise compromise the server.

There are two main types of attack. First-order attacks are when the attacker receives the desired result immediately, either by direct response from the application they are interacting with or some other response mechanism, such as email. Second-order attacks are when the attacker injects some data that will reside in the database, but the payload will not be immediately activated. I will discuss each in more detail later in this article.

Read the full article

More Links:
SQL A to Z Here:
SQL Server DO's and DON'Ts
Unauthorised access to a SQL Server, and how to prevent it

No comments: