Evan Reiser's Blog: SQL Server Log Bypass

Monday, September 24, 2007

SQL Server Log Bypass

SQL Server (in)conveniently doesn't log queries which have sp_password in it (so the passwords don't show up in the logs).

This means that someone trying to break into your database using SQL injection can tack on "--sp_password" to the end of all their queries to avoid leaving a trail in the DB logs.

Of course all the requests will be stored in the web server log. Unless of course you use POST instead of GET

No comments:

Post a Comment

Disclaimer

Evan Reiser's Blog on Technology, Database Systems, Computer Systems, AJAX, ASP.NET, SQL Server Financial Advice Disclaimer: I, Evan Reiser provide general information, not individually targeted personalised advice. Advice from this site does not take into account any investor’s particular investment objectives, financial situation and personal needs. Investors should assess for themselves whether the advice is appropriate to their individual investment objectives, financial situation and particular needs before making any investment decision on the basis of such general advice. Investors can make their own assessment of the advice or seek the assistance of a professional adviser. Investing entails some degree of risk. Investors should inform themselves of the risks involved before engaging in any investment. I, Evan Reiser, endeavor to ensure accuracy and reliability of the information provided but does not accept any liability whatsoever, whether in tort or contract or otherwise, for any loss or damage arising from the use of this site's data and systems. Past performance is not necessarily indicative of future results. Information and advice provided here is not an offer to buy or sell securities. Before commencing an investment program I recommend you seek independent professional legal, tax and investment advice as to whether it is suitable for your particular needs and circumstances. Failure to seek detailed professional personally tailored advice prior to acting could lead to you acting contrary to your own best interests and could lead to losses of capital. I, Evan Reiser, expressly deny any liability to you for loss in any manner or form now or at any time in the future. You should be aware that some investments will lose money. Conscious investment selections are on the basis of probabilities - that they are proven profitable at some point in time in the future more often than not. Any action based on this information should observe standard investment and trading rules such as diversification, stop losses and matching to personal risk tolerances. Investing strategies and actions discussed in our publications may not be suitable for you. You must make your own investment decisions in light of your own circumstances.

Evan Reiser's Blog

Monday, September 24, 2007

SQL Server Log Bypass

No comments:

Deal of the Day

About Me

Evan's Links

Popular Posts

Contact

Blog Archive

Relevant Links

Disclaimer