Details

Kingsley Uyi Idehen
Lexington, United States

Subscribe

Post Categories

Subscribe

E-Mail:

Recent Articles

Display Settings

articles per page.
order.
SQL Injection FAQ

SQL Injection FAQ

 http://www.sqlsecurity.com/DesktopDefault.aspx?tabindex=2&;tabid=3
 

Are other SQL Servers (Sybase, Oracle, DB2) subject to SQL injection?

Yes, to varying degrees. Here is a site that can get you more details on some of the issues with other SQL Servers. http://www.owasp.org

What is SQL Injection and why is all this information not included in the regular FAQ?

SQL Injection is simply a term describing the act of passing SQL code into an application that was not intended by the developer.   Since this topic is not specifically restricted to SQL Server it is not included in the normal FAQ.  In fact, much of the problems that allow SQL injection are not the fault of the database server per-se but rather are due to poor input validation and coding at other code layers.  However, due to the serious nature and prevalence of this problem I feel its inclusion in a thorough discussion of SQL Server security is warranted.

What causes SQL Injection?

SQL injection is usually caused by developers who use "string-building" techniques in order to execute SQL code.  For example, in a search page, the developer may use the following code to execute a query (VBScript/ASP sample shown):

Set myRecordset = myConnection.execute("SELECT * FROM myTable WHERE someText ='" & request.form("inputdata") & "'")

The reason this statement is likely to introduce an SQL injection problem is that the developer has made a classic mistake - poor input validation.  We are trusting that user has not entered something malicious - something like the innocent looking single quote (').  Let's consider what would happen if a user entered the following text into the search form:

' exec master..xp_cmdshell 'net user test testpass /ADD' --

Then, when the query string is assembled and sent to SQL Server, the server will process the following code:

SELECT * FROM myTable WHERE someText ='' exec master..xp_cmdshell 'net user test testpass /ADD'--'

Notice, the first single quote entered by the user closed the string and SQL Server eagerly executes the next SQL statements in the batch including a command to add a new user to the local accounts database.  If this application were running as 'sa' and the MSSQLSERVER service is running with sufficient privileges we would now have an account with which to access this machine.  Also note the use of the comment operator (--) to force the SQL Server to ignore the trailing quote placed by the developer's code.

More

Very intresting that these are all Native Interface based exploits.  So the security issue isn't ODBC, JDBC, ADO.NET, or OLE DB specific (although they certainly increase the potential damage that can be unleashed via metadata analysis en route to that huge Cartesian Product ; the mother of all Exploits!). Our Session Rules Book was devised in 1993 with many of these issues in mind, and to this date there are no other ODBC/JDBC/OLE DB products out there that even come close to acknowledging this reality.

# PermaLink Comments [0]
05/21/2003 18:27 GMT-0500 Modified: 06/22/2006 08:56 GMT-0500
SQL Injection FAQ

SQL Injection FAQ

 http://www.sqlsecurity.com/DesktopDefault.aspx?tabindex=2&;tabid=3
 

Are other SQL Servers (Sybase, Oracle, DB2) subject to SQL injection?

Yes, to varying degrees. Here is a site that can get you more details on some of the issues with other SQL Servers. http://www.owasp.org

What is SQL Injection and why is all this information not included in the regular FAQ?

SQL Injection is simply a term describing the act of passing SQL code into an application that was not intended by the developer.   Since this topic is not specifically restricted to SQL Server it is not included in the normal FAQ.  In fact, much of the problems that allow SQL injection are not the fault of the database server per-se but rather are due to poor input validation and coding at other code layers.  However, due to the serious nature and prevalence of this problem I feel its inclusion in a thorough discussion of SQL Server security is warranted.

What causes SQL Injection?

SQL injection is usually caused by developers who use "string-building" techniques in order to execute SQL code.  For example, in a search page, the developer may use the following code to execute a query (VBScript/ASP sample shown):

Set myRecordset = myConnection.execute("SELECT * FROM myTable WHERE someText ='" & request.form("inputdata") & "'")

The reason this statement is likely to introduce an SQL injection problem is that the developer has made a classic mistake - poor input validation.  We are trusting that user has not entered something malicious - something like the innocent looking single quote (').  Let's consider what would happen if a user entered the following text into the search form:

' exec master..xp_cmdshell 'net user test testpass /ADD' --

Then, when the query string is assembled and sent to SQL Server, the server will process the following code:

SELECT * FROM myTable WHERE someText ='' exec master..xp_cmdshell 'net user test testpass /ADD'--'

Notice, the first single quote entered by the user closed the string and SQL Server eagerly executes the next SQL statements in the batch including a command to add a new user to the local accounts database.  If this application were running as 'sa' and the MSSQLSERVER service is running with sufficient privileges we would now have an account with which to access this machine.  Also note the use of the comment operator (--) to force the SQL Server to ignore the trailing quote placed by the developer's code.

More

Very intresting that these are all Native Interface based exploits.  So the security issue isn't ODBC, JDBC, ADO.NET, or OLE DB specific (although they certainly increase the potential damage that can be unleashed via metadata analysis en route to that huge Cartesian Product ; the mother of all Exploits!). Our Session Rules Book was devised in 1993 with many of these issues in mind, and to this date there are no other ODBC/JDBC/OLE DB products out there that even come close to acknowledging this reality.

# PermaLink Comments [2]
05/21/2003 18:27 GMT-0500 Modified: 12/04/2006 08:41 GMT-0500
By Harry Fuecks

By Harry Fuecks
Here's a question: what if I was to tell you that you can write your own version of Word using something like HTML and JavaScript? What if I added that you could run on your hard disk or launch it directly from your Web server and use it to update your site's content? It sounds a little far fetched, I know, but it's right here, right now -- and it calls itself "Zool". 

Here?s what this three-part series will cover:

  • The XUL Revolution: just who is Zool?
  • Back to School: time to dust of that JavaScript...
  • Zoolology: getting read to fire up your first XUL application
  • 3D Browsing with XUL: straight in at the deep end.
  • Desperately Seeking: the search is over.
  • Takeaway Menu: with fries please!
  • But no one uses Mozilla: back to browser detection.
  • The Rise of the Rich Client: the future is XUL.

Part 1

My Comments:
I am a firm believer in the possibilities presented by XUL. It will enable the bundling of UI, Data, Data Manipulation logic (Application or Module ) as part of a payload hosted on report server Like Virtuoso. Basically, I anticipate the emergence of an IDE that is able to persist is UI components (widgets) and UI behaviour as XML using the XUL grammer. Then along comes a XUL Processor that is able to emit a XUL based UI payloads ( via user agent aware transformation) as:
.NET/Mono Windows Forms assemblies
Javascript
Flash MX
XUL (If we know the client is Mozilla or Firebird for instance)
.....
I think this is a Virtuoso demo in the making :-)




 

 

# PermaLink Comments [0]
05/21/2003 20:49 GMT-0500 Modified: 07/07/2006 08:29 GMT-0500
By Harry Fuecks

By Harry Fuecks

# PermaLink Comments [0]
05/21/2003 16:49 GMT-0500 Modified: 07/07/2006 08:58 GMT-0500
has
Waypath has an XML-RPC interface for keyword searches on weblog content.
Could be interesting re. Virtuoso's Blogging Services.
Tags: |
# PermaLink Comments [0]
05/21/2003 16:25 GMT-0500 Modified: 06/22/2006 08:56 GMT-0500
has
Waypath has an XML-RPC interface for keyword searches on weblog content.
Could be interesting re. Virtuoso's Blogging Services.
Tags: |
# PermaLink Comments [0]
05/21/2003 16:25 GMT-0500 Modified: 06/22/2006 08:56 GMT-0500
by Todd Brehe
by Todd Brehe

Every January, trade publications put out lists of predictions for the coming year. They discuss products, services, and trends that they think will change the way business is done, labeling some of these "disruptive technologies." 

The idea of disruptive technologies comes from Clayton Christensen's 1997 book, "The Innovator's Dilemma: When New Technologies Cause Great Firms to Fail." A disruptive technology is a method, procedure, skill, device, or material that redefines competitive standards, and it often forces us to re-examine the way we work. Also note that the technology doesn't have to be a physical item.

[skipped a little ...]

At first glance, it doesn’t appear that blogs would be at all disruptive. So why all the hype?

If we look closely at the structure and intent of blogs as a communications tool, we can see some powerful ideas at work. Blogs are a direct, one-to-many means of communicating ideas. They expand an individual’s ability to communicate. They are fresh and timely. The blogger, to maintain interest, must communicate often. Blogs enable a single person to share ideas, insights, and useful knowledge with an audience. Thanks to the web, the audience can be a global one.

Whenever a new tool or process—such as e-mail—expands communications, the effects are far-reaching and dramatic. Even though blogs have been around for 3-4 years, they could be “the next big thing.” More

# PermaLink Comments [0]
05/21/2003 16:19 GMT-0500 Modified: 06/22/2006 08:56 GMT-0500
by Todd Brehe
by Todd Brehe

Every January, trade publications put out lists of predictions for the coming year. They discuss products, services, and trends that they think will change the way business is done, labeling some of these "disruptive technologies."

# PermaLink Comments [0]
05/21/2003 16:19 GMT-0500 Modified: 06/22/2006 08:56 GMT-0500
MySQL Database Available for New AMD64 Architecture

MySQL Database Available for New AMD64 Architecture MySQL AB, developer of the world's most popular open source database, today announced that the MySQL

Tags:
# PermaLink Comments [0]
05/21/2003 15:20 GMT-0500 Modified: 06/22/2006 08:56 GMT-0500
Death of the Browser?
Death of the Browser?
Scoble speculates on the death of the web browser and the rise of rich clients. I agree wholeheartedly. The internet is a great medium, and the browser has been great as a "least common denominator" for delivering information and application functions. The constantly evolving protocols on the web are enabling us to do much better though, and I think more developers should scrutinize the development of applications using the browser when rich clients can be developed, implemented, and delivered to users with ease. [via Randy Holloway's Blog]
# PermaLink Comments [0]
05/21/2003 11:22 GMT-0500 Modified: 06/22/2006 08:56 GMT-0500
 <<     | 1 | 2 |     >>
Powered by OpenLink Virtuoso Universal Server
Running on Linux platform
The posts on this weblog are my personal views, and not those of OpenLink Software.