SQL Server Performance

SQL Injection attacks - don't forget to visit guidance information from Microsoft

Discussion in 'SQL Server Knowledge Sharing Network (SqlServer-qa' started by satya, May 31, 2008.

  1. satya Moderator

    One of the biggest threats in IT industry & Database world is unprecedented attacks aka most commonly termed as 'SQL injection'.
    There is no doubt that biggest database vendors, one of them as Microsoft so far providing recommendations regarding security-related configuration settings since the good & bad times of SQL Server version 2000, not in particular to point DBA or Developer and whole as in Application database, remember 'Slammer Worm'!. Here it is best to refer the ignored 'best' practices (bad) that are seen at most of the deployments by leaving the blank password for any application connectivity or very common used words such as 'password' or so. In this fashion any generic installation of SQL Server and can be relatively easily configured on the server, database, or database object level and obvious attempt on access to data is provided via client applications, which increases the range of potential vulnerabilities and places an equal share of responsibility for data security on software developers, where I feel most of users must be educated/trained on security aspects.
    So to know more about SQL injection attacks and vulnerabilities within your system I'm providing few best examples and explanation, such as SQL Injection attacks post by Buck Woody & SQLInjection-Attachs-by-example blog posts.
    To close the topic I would like to highlight the importance of monitoring the information (small or big) that might be revealed via error messages resulting from executing malformed SQL statements. It is like leaving your house key to the door lock when you are supposed to secure it when you are going away!

Share This Page