Beware SQL Injection

Microsoft’s UK site was defaced on June 26 by hackers apparently from Saudi Arabia, using a SQL Injection attack. This comes only a few weeks after another Microsoft web site defacement by SQL Injection attack back in early May.

This is a fairly old and easy to defeat attack method that is not SQL Server specific. Someone enters some mal-formed SQL into a text box that is used to build a dynamic SQL string that is submitted to a database server. This allows them to run unauthorized queries to find out the structure of your database and to see and/or even alter/delete your data.

You can defeat this type of attack by limiting and validating your input, using stored procedures, and by using the principle of least privilege. This MSDN article explains the concept in more detail.

Technorati Tags:
This entry was posted in SQL Server 2005. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s