SQL Server Performance

Parse errors generated due to Sql Injection

Discussion in 'SQL Server 2005 General Developer Questions' started by dmaddhali, Dec 7, 2005.

  1. dmaddhali New Member

    Hi,
    I would like to know the table/log which is populated by the SQL SERVER when
    failed attemps to login a SQL SERVER using SQL INJECTION IS done.

    users may try to log into a sql server using SQL INJECTION . He may succeed after some failed attempts .I would like to write a code which would monitor for any illegal login attemps and inform the administrator .

    Can anyone tell the log file / table which contains information regarding failed login attemps.
  2. FrankKalis Moderator

  3. ghemant Moderator

    Hi,<br />my first question is why a hacker is get succeed ? don't you have implement proper security policy ?<br /><br />check this thread also :<br /<a target="_blank" href=http://www.sqlteam.com/forums/topic.asp?TOPIC_ID=58641>http://www.sqlteam.com/forums/topic.asp?TOPIC_ID=58641</a><br /><br /><br /><img src='/community/emoticons/emotion-1.gif' alt=':)' /><br />Regards<br /><br />Hemantgiri S. Goswami<br />ghemant@gmail.com<br />"Humans don't have Caliber to PASS TIME , Time it self Pass or Fail Humans" - by Hemantgiri S. Goswami<br />
  4. Adriaan New Member

    I've had this idea for a while and I wonder if it's new ...

    You're open to SQL injection when your SP accepts a string for filtering data in a dynamic SQL statement, and a hacker can add a destructive instruction to the end of the filter string.

    Well, in most cases the filter will be used for a SELECT query - right?

    So in those cases - besides the security issue - you could set it up like this:

    BEGIN TRANSACTION
    <execute dynamic SQL>
    ROLLBACK TRANSACTION

    If your client app is expecting a rowset, then it will still get the results from your SELECT, but any DELETE or UPDATE action would be rolled back.
  5. FrankKalis Moderator

  6. Adriaan New Member

    Good point. Depends on the client app, and what kind of information is being returned - might be a scalar value. Other point with ASP (I am told) is to always include proper error handling, otherwise hackers might be able to read technical details from standard error messages.

    Anyway, good point - as usual.
  7. dineshasanka Moderator

    I think rather than logging those attempts better to prevent those attacks.
    As you know, Prevention is the best option.
    There are tools which you can check whether your site is vulnerable to the SQL injection.
    you can find a tool fromhttp://www.acunetix.com

    ----------------------------------------
    http://spaces.msn.com/members/dineshasanka
  8. FrankKalis Moderator

    Hm, if I were an attacker with criminal intent rather than shortsightedly simply destroying the data, I would try to download the data and then have all time I need to analyse it and commit my crime. So, I would agree with Dinesh, properly sanitising input should be the way to go here.

    --
    Frank Kalis
    Microsoft SQL Server MVP
    http://www.insidesql.de
    Heute schon gebloggt?http://www.insidesql.de/blogs
    Ich unterstütze PASS Deutschland e.V. http://www.sqlpass.de)
  9. dmaddhali New Member

    Basically I am a developer and not a DBA . So, I cannot set the security of the Server.

    I shall put the question in a different way.I would like to know all the parse errors occuring
    in my sql server 2005.

    For this I tried to use sp_readerrorlog stored procedure.This stored procedure imports log information into a table.

    Or else , Is there any event class which logs all parse errors ?.
  10. mulhall New Member

    SQL Injection does not 'log in'.

    SQL Injection relies on authentication and authorisation offered already, although you can inject a setuser or open a connection to another system.

    Countering SQL Injection is done through validating the input from your users, and limiting the permissions an action runs with.

Share This Page