Evan Reiser's Blog: Tips to Prevent SQL Injection

Wednesday, May 09, 2007

Tips to Prevent SQL Injection

The following are examples of steps you can take to ensure some level of protection from SQL Injection however, any situation where you are generating dynamic SQL will leave you vulnerable to clever hackers.

In order to reduce the surface area for attack, do not enable functionality that isn't required such as the SQL Server Agent service or xp_cmdshell (which allows arbitrary commands to be run on the server)

Always provide minimal permissions to the executing user in order to limit their options and reduce your exposure. In SQL Server 2005, you can impersonate users, so the new credentials will even apply to code invoked dynamically at the server. This feature opens up a whole new set of security concerns. Dynamic SQL can now run under impersonated user credentials and
not even require direct permissions from the user executing the stored procedure.

Inspect users thoroughly and used stored procedures. If characters are allowed, use pattern matching to check whether SQL injection constructs (such as single quote, two dashes, sp_, xp_, UNION etc) exist in the input.

Always limit the lengths of inputs when possible. This will help reduce the hacker's ability to damage your system. Email address fields shouldn't be thoudands of characters long.

Use stored procedures! Stored procedures encapsulate user input to the database, type checking the input as well as allowing certain permissions.

In general dynamic sql is always dangerous since the users input can end up being executed. If possible its always safer to use static code as long as attention is paid to security issues. There are several tricks you can use to avoid dynamic sql such as using functions to parse input and invoke static code. Using static code will also give you a performance edge since the current implementation of stored procedures generates a new execution plan for each input.

If you ever need to expect quotes in your input (such as text inputs for a blog or something) a safe way to prevent sql injections is to simple replace CHAR(39) with CHAR(39)+CHAR(39) this will make it impossiblefor the hacker to escape the string. Using dynamic sql can be very powerful, however misuse and/or abuse can causeinefficient code that may open your database to attacks.

No comments:

Post a Comment

Disclaimer

Evan Reiser's Blog on Technology, Database Systems, Computer Systems, AJAX, ASP.NET, SQL Server Financial Advice Disclaimer: I, Evan Reiser provide general information, not individually targeted personalised advice. Advice from this site does not take into account any investor’s particular investment objectives, financial situation and personal needs. Investors should assess for themselves whether the advice is appropriate to their individual investment objectives, financial situation and particular needs before making any investment decision on the basis of such general advice. Investors can make their own assessment of the advice or seek the assistance of a professional adviser. Investing entails some degree of risk. Investors should inform themselves of the risks involved before engaging in any investment. I, Evan Reiser, endeavor to ensure accuracy and reliability of the information provided but does not accept any liability whatsoever, whether in tort or contract or otherwise, for any loss or damage arising from the use of this site's data and systems. Past performance is not necessarily indicative of future results. Information and advice provided here is not an offer to buy or sell securities. Before commencing an investment program I recommend you seek independent professional legal, tax and investment advice as to whether it is suitable for your particular needs and circumstances. Failure to seek detailed professional personally tailored advice prior to acting could lead to you acting contrary to your own best interests and could lead to losses of capital. I, Evan Reiser, expressly deny any liability to you for loss in any manner or form now or at any time in the future. You should be aware that some investments will lose money. Conscious investment selections are on the basis of probabilities - that they are proven profitable at some point in time in the future more often than not. Any action based on this information should observe standard investment and trading rules such as diversification, stop losses and matching to personal risk tolerances. Investing strategies and actions discussed in our publications may not be suitable for you. You must make your own investment decisions in light of your own circumstances.

Evan Reiser's Blog

Wednesday, May 09, 2007

Tips to Prevent SQL Injection

No comments:

Deal of the Day

About Me

Evan's Links

Popular Posts

Contact

Blog Archive

Relevant Links

Disclaimer