Re: Full Text Query can cause SQL Injection attack?



Any non-parameterized SQL statement (full text or otherwise) is vulnerable to SQL injection when the SQL statement is built using user-supplied values. Validation of user input can mitigate risk but parameterized SQL will eliminate it.


--
Hope this helps.

Dan Guzman
SQL Server MVP

"anoop" <anoop@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:33ABB35B-5F8B-4047-82A0-1FFFC819A387@xxxxxxxxxxxxxxxx
Hello,
I am doing Security Audit on a Website using Black Box Testing and
that uses SQL server as a back end, and it is giving free text query error in
some of the fields in which invalid input such as ("/") forward slash is
replaced by text at the server side. In other case it is displaying all the
records when forward slash is replaced by text at the server side through the
intercepting proxy Therefore I don't know the exact code, but that is for
sure that website is using Free Text queries for getting data from SQL server.

Thank you

"Adam Machanic" wrote:

Sure--any improperly formed query (i.e., one that uses dynamic SQL the wrong
way) can open the door to a SQL injection attack. If you can post your code
we can critique it and let you know if it has any issues.


--

Adam Machanic
SQL Server MVP - http://sqlblog.com

Author, "Expert SQL Server 2005 Development"
http://www.apress.com/book/bookDisplay.html?bID=10220



"anoop" <anoop@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:BFD7F829-7DCA-4B0D-BDBC-8F472C5F0322@xxxxxxxxxxxxxxxx
> Hello,
> I wanted to know if Full text query can cause SQL Injection
> attack
> in an application which is using SQL server at the back end.
>
> Thank you
>
> Anoop


.



Relevant Pages

  • Re: Access 2007->SQL Server2005 "connection was forcibly closed",G
    ... I moved every table I was able to move to the SQL ... closed connections - but all of these errors are in the version which used ... the SQL Server 2000 and everything worked ... communication between ODBC (OLEDB and Native Client, ...
    (microsoft.public.sqlserver.connect)
  • It can be Done
    ... I just installed a 3 SQL Server 2005 instances on a 2 node Active/Passive cluster. ... IWiz will then offer you a choice of Group on where you can install teh Fail Over Clustered Instance of SQL. ...
    (microsoft.public.sqlserver.clustering)
  • Re: Unable to Apply SP4 to SQL 2000 Cluster (new Node)
    ... Rebuild the node in the failover cluster. ... Scenario 1" in SQL Server 2000 Books Online. ... This setup process updates to SP4 only the binaries on the new ...
    (microsoft.public.sqlserver.clustering)
  • Re: WSS 3.0 question
    ... I followed the advise given in removing WSS 3.0 etc, ... the server is complaining that the SQL service(?) was tempered with or corrupt. ... I may just instal the SQL server as I was going eventuall use it anyway. ... If WSUS 3.0 is installed, I would suggest you uninstall it and then you install WSS 3.0. ...
    (microsoft.public.windows.server.sbs)
  • Re: SQL Resets
    ... If it were SQL that was falling short, ... The default backlog for SQL Server is 5. ... System.InvalidOperationException: Internal connection fatal error. ... From time to time, under heavy loads, we are getting resets at ...
    (microsoft.public.sqlserver.connect)