Website & SQL Server Security

From: csgraham74 <colin@xxxxxxxxxxxxxxxx>
Date: Thu, 28 Aug 2008 09:41:52 -0700 (PDT)

Ok,

im sure this has been dealt with before but when i read other posts i
kinda get lost in the jargon. Ok the reason for my being here is that
i developed a website that recently got hit by a sql injection attack.

Of the back of that i have decided to rethink my security strategy to
ensure it doesnt happen again.

from my vague understanding of sql server i have decided to setup my
sql server authentication to allow only db_datareader access and also
to give grant permissions to my stored procedures.

To me this means that front end users will only be able to run
"SELECT" command statements on my datatables & run the stored
procedures as i have set them up.

what im wondering about is this really what this means or does this
mean that someonce could do sql injection again through one of my
forms and delete or insert into my database ????

BTW ive added extra validation to all my user input formsto restrict
SQL Injection but its the database stuff i need to know more about.

any help appreciated.

CG
.

Follow-Ups:
- Re: Website & SQL Server Security
  - From: Erland Sommarskog
- Re: Website & SQL Server Security
  - From: Mark McGinty

Prev by Date: Re: Understanding SQL and Microsoft GP
Next by Date: Re: How to verify whether a user has been added to a database role
Previous by thread: RE: sql 2005 login thru an external web app
Next by thread: Re: Website & SQL Server Security
Index(es):
- Date
- Thread

Relevant Pages

Re: submitted data not updated promptly with ms access
... therefore, before writing to the database, i ... using sql injection ... Using an expensive recordset to run a query that does not retrieve ... is what I suspect you want to do, although I don't really know why you wish ...
(microsoft.public.inetserver.asp.db)
Re: Executing PHP files on remote web server
... The syntax may be different between programming languages and database engines, but the concept of avoiding SQL injections isn't that different. ... SQL injection from a DBA's perspective is completely different from that of a programmer. ... Quite frankly, while you have good experience in database administration and Unix administration, I see virtually nothing in this which provides the necessary experience for programming. ...
(comp.lang.php)
RE: SQL injection from within a table - is it possible?
... I would assume that all parsers would parse the /entire/ sql query ... Suppose your username was "bob", ... Going back to your initial question about a "stored" SQL Injection ... Is it possible to store an SQL injection string into a MSSQL database ...
(Pen-Test)
Re: Executing PHP files on remote web server
... The syntax may be different between programming languages and database engines, but the concept of avoiding SQL injections isn't that different. ... SQL injection from a DBA's perspective is completely different from that of a programmer. ... Quite frankly, while you have good experience in database administration and Unix administration, I see virtually nothing in this which provides the necessary experience for programming. ...
(comp.lang.php)
Re: Executing PHP files on remote web server
... because you're not familiar with things like SQL injection and other ... may be different between programming languages and database engines, ... Unix administration has NOTHING to do with any of this. ... the necessary experience for programming. ...
(comp.lang.php)