SQL Server Performance Forum – Threads Archive

Parse errors generated due to Sql Injection

Hi,
I would like to know the table/log which is populated by the SQL SERVER when
failed attemps to login a SQL SERVER using SQL INJECTION IS done. users may try to log into a sql server using SQL INJECTION . He may succeed after some failed attempts .I would like to write a code which would monitor for any illegal login attemps and inform the administrator . Can anyone tell the log file / table which contains information regarding failed login attemps.

Check outhttp://www.sqlsecurity.com —
Frank Kalis
Microsoft SQL Server MVP
http://www.insidesql.de
Heute schon gebloggt?http://www.insidesql.de/blogs
Ich unterstÃ¼tze PASS Deutschland e.V. http://www.sqlpass.de)

Hi, my first question is why a hacker is get succeed ? don’t you have implement proper security policy ? check this thread also : http://www.sqlteam.com/forums/topic.asp?TOPIC_ID=58641</a> <img src=’/community/emoticons/emotion-1.gif’ alt=’

‘ /> Regards Hemantgiri S. Goswami [email protected] "Humans don’t have Caliber to PASS TIME , Time it self Pass or Fail Humans" – by Hemantgiri S. Goswami

I’ve had this idea for a while and I wonder if it’s new … You’re open to SQL injection when your SP accepts a string for filtering data in a dynamic SQL statement, and a hacker can add a destructive instruction to the end of the filter string. Well, in most cases the filter will be used for a SELECT query – right? So in those cases – besides the security issue – you could set it up like this: BEGIN TRANSACTION
<execute dynamic SQL>
ROLLBACK TRANSACTION If your client app is expecting a rowset, then it will still get the results from your SELECT, but any DELETE or UPDATE action would be rolled back.

But what, when the attacker just doesn’t want to destroy data, but simply wants to view sensitive data for further abuse and/or attacks? —
Frank Kalis
Microsoft SQL Server MVP
http://www.insidesql.de
Heute schon gebloggt?http://www.insidesql.de/blogs
Ich unterstÃ¼tze PASS Deutschland e.V. http://www.sqlpass.de)

Good point. Depends on the client app, and what kind of information is being returned – might be a scalar value. Other point with ASP (I am told) is to always include proper error handling, otherwise hackers might be able to read technical details from standard error messages. Anyway, good point – as usual.

I think rather than logging those attempts better to prevent those attacks.
As you know, Prevention is the best option.
There are tools which you can check whether your site is vulnerable to the SQL injection.
you can find a tool fromhttp://www.acunetix.com —————————————-
http://spaces.msn.com/members/dineshasanka

Hm, if I were an attacker with criminal intent rather than shortsightedly simply destroying the data, I would try to download the data and then have all time I need to analyse it and commit my crime. So, I would agree with Dinesh, properly sanitising input should be the way to go here. —
Frank Kalis
Microsoft SQL Server MVP
http://www.insidesql.de
Heute schon gebloggt?http://www.insidesql.de/blogs
Ich unterstÃ¼tze PASS Deutschland e.V. http://www.sqlpass.de)

Basically I am a developer and not a DBA . So, I cannot set the security of the Server. I shall put the question in a different way.I would like to know all the parse errors occuring
in my sql server 2005. For this I tried to use sp_readerrorlog stored procedure.This stored procedure imports log information into a table. Or else , Is there any event class which logs all parse errors ?.

SQL Injection does not ‘log in’. SQL Injection relies on authentication and authorisation offered already, although you can inject a setuser or open a connection to another system. Countering SQL Injection is done through validating the input from your users, and limiting the permissions an action runs with.

]]>