Re: SQL Injection prevention

From: Jeff Cochran (jeff.nospam_at_zina.com)
Date: 06/22/04

• Next message: Jon Jones: "Granting Permissions on Multiple Tables"
• Previous message: Stephen Armbrust MCSD: "Re: application rolls and ADO.Net"
• In reply to: Dan Avni: "Re: SQL Injection prevention"
• Next in thread: Dan Avni: "Re: SQL Injection prevention"
• Reply: Dan Avni: "Re: SQL Injection prevention"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Tue, 22 Jun 2004 18:57:17 GMT

On Mon, 21 Jun 2004 10:19:40 -0700, Dan Avni <danavni@officecore.com>
wrote:

>Jeff Hi,
>
>thanks for the quick response. in reality i am more of a development
>company than a hosting company. this client is a long time client of
>ours so we wanted to do him a favor and help him a bit in hosting his
>site on our servers. of course i will not do that is his site poses any
>danger to my sites/DB's on the server.
>
>the only things the developers did for my client is make sure that the
>single qoute (') symbol is replaced into a double qoute '' in order to
>prevent sql injection. i as a developer know this is not the only way to
>do sql injection and therefor concerned about the site going live on my
>server.
>
>however, my question still remains. if i set up a SQL server user who
>has access only to a specific DB. will hackers be able to use SQL
>injection to do harm to any other DB on the server or to the server
>itself?

Maybe, but not guaranteed. For example, if XP_CMDSHELL can be run,
the entire box is at risk even if the user has access only to a single
database. The analogy is having a kitchen door with an insecure lock.
Instead of fixing the lock, you put good locks on the door to the
dining room from the kitchen and the door to the hall. That way, even
if a thief gets in, he's limited to the kitchen and can only steal
your beer.

But if the kitchen has a stove, he can also use it to set the house on
fire. :)

SQL injection is always tough to deal with. You can mitigate many
pieces, reducing your exposure to damage, but unless the app is
designed from the ground up to prevent injection there may always be
some hole an attack can slip through.

Jeff

---

• Next message: Jon Jones: "Granting Permissions on Multiple Tables"
• Previous message: Stephen Armbrust MCSD: "Re: application rolls and ADO.Net"
• In reply to: Dan Avni: "Re: SQL Injection prevention"
• Next in thread: Dan Avni: "Re: SQL Injection prevention"
• Reply: Dan Avni: "Re: SQL Injection prevention"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: CTL_E_PERMISSIONDENIED ... In that case you'd need to speak to your hosting company. ... the code I am trying to execute is client side code ... ASP.NET code runs entirely on the server. ... only change the actual HTML output to the client, ... (microsoft.public.inetserver.iis.security) Re: SQL Injection prevention ... company than a hosting company. ... this client is a long time client of ... danger to my sites/DB's on the server. ... do sql injection and therefor concerned about the site going live on my ... (microsoft.public.sqlserver.security) SBS Questions ... test server and I am using a single test client. ... I am setting up SBS ... register a domain name sans the hyphen that the hosting company is hosting ... (microsoft.public.windows.server.sbs) HELP with DNS, Website moved from local to hosted. ... My client used to house their own website localy on a 2000 server in a ... domain named the same as their website. ... hosting company and they can no longer view their website from within ... the client tomorow and dont want to make a mistake. ... (microsoft.public.win2000.dns) Re: What doesnt lend itself to OO? ... >> proxy and instructs the server to constuct the real object. ... rather than client code. ... If 'clock' is instantiated in the server, ... > for the server interface at the OOA level. ... (comp.object)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)