Level Extreme platform
Subscription
Corporate profile
Products & Services
Support
Legal
Français
Preventing Injection attacks
Message
From
22/08/2008 14:50:56
 
General information
Forum:
Microsoft SQL Server
Category:
Other
Environment versions
SQL Server:
SQL Server 2005
Miscellaneous
Thread ID:
01341172
Message ID:
01341212
Views:
12
This message has been marked as the solution to the initial question of the thread.
>Hi everybody,
>
>I'm thinking, that instead of trying to intercept every request we may try to use UPDATE/INSERT triggers for every table and reject entries contaning < script > Does it sound like a better approach?
>
>What do you think?
>
>Thanks in advance.

I think it would make sense to research it fully. Here's a few to get you started:

http://www1.cs.columbia.edu/~angelos/Papers/sqlrand.pdf
http://www.securiteam.com/securityreviews/5DP0N1P76E.html
http://www.codeproject.com/KB/database/SqlInjectionAttacks.aspx
http://msdn.microsoft.com/en-us/library/bb355989.aspx
http://blogs.technet.com/swi/archive/2008/05/29/sql-injection-attack.aspx
http://www.colinmackay.net/tabid/57/Default.aspx
http://msdn.microsoft.com/en-us/library/aa224806.aspx

There are some appliances and tools like WatchFire AppScan, Applicure's DotDefender, or eEye's REM Security Management Appliance. Most are cost prohibitive though.

One thing you can do though is download the trialware of some checking tools so you use it as a test to check for vulnerabilities....

http://www.security-hacks.com/2007/05/18/top-15-free-sql-injection-scanners
.·*´¨)
.·`TCH
(..·*

010000110101001101101000011000010111001001110000010011110111001001000010011101010111001101110100
"When the debate is lost, slander becomes the tool of the loser." - Socrates
Vita contingit, Vive cum eo. (Life Happens, Live With it.)
"Life is not measured by the number of breaths we take, but by the moments that take our breath away." -- author unknown
"De omnibus dubitandum"
Previous
Next
Reply
Map
View

Click here to load this message in the networking platform