Uncategorized

SQL Server 2005 Triggers, SQL Injection Attacks Again

by Ben Taylor

New SQLonCall Show Posted

Top 10 Things Seen with SQL Server in 2007. Mistakes, Tips, Tricks and Experiences. Learn from 2007, Continue What Works, Stop What Does Not.

> Watch Now

Featured Article(s)
Tips for using SQL Server 2005 triggers
Here are some helpful tips to performance tune and optimize SQL Server 2005 triggers.

Pulling Information From Non-Relational Sources…
…is possible. In fact, pulling together sections of a worksheet, CSV reports and other more non-traditional data sources just got a whole lot easier. In SSIS, you can now use DataDefractor – a tool that let’s you automated the combination of information from these types of sources that used to be very difficult to include. Need to extract only a portion of the data? No problem. Take a look at DataDefractor here, and get your free trial copy to see exactly how you can put it to use.

Injection… Again.
I don’t know if you’ve seen the reports, but there is a "mass attack" (my term) that has been going on with an automated SQL Injection engine of sorts that’s out looking to find login and registration systems, then attempt SQL injection against the site.

What’s unique about this is that it’s a very broad attack, not a hacker trying to breach a system on a system-by-system basis as has traditionally been the case. This means that to turn this thing loose on all types of sites is "just" a matter of replicating the engine and letting it run amuck. You can see that this could be a (rather successful) test brute-force approach to trying out just about every other attack that has, to-date at least, been based on a person doing the work. Traditional injection is about interpreting results, seeing what’s returned by the site or application and tweaking your approach. With this approach – a forced and automated one – the possibility for coming in on multiple attack vectors simultaneously is very possible.

If you’re not testing your systems, I highly recommend you consider it. There are some solid tools and services out there that can help you learn a lot about what vulnerabilities you may have, and they generally help you understand both how they work and how to prevent them. With this go-round on the hacker attacks on injection, I’ve seen reports of as many as 70,000 servers infected. That’s a big number and the infections are not passive – they’re malicious injection of javascript code.

Take the steps now to learn what can be done to and for your systems.

Featured White Paper(s)
Improving .NET Application Performance and Reliability with Managed Database Connectivity
Your choices about data access can make the difference between project success and project failure. Read this whitepaper and… (read more)

Enhancing Project Quality Through the Adoption of Lightweight Software Development Methodologies
Lightweight software development methodologies, such as Agile, are rapidly becoming de-facto best practices for software deve… (read more)

Author: Ben TaylorBen is a Relational Database veteran starting in the early eighties on DEC Vax database systems such as Bloom and Harvest. He has specialized in SQL engines for more than two decades, with a primary focus on Microsoft SQL Server. Ben has worked with small and large databases for both OLAP and OLTP working on systems for many industries such as Medical (Medical Claims and Eligibility Warehouse, HMO Provider Management, Enrollment), Financial (credit card processing, mortgage, stock portfolio management), Manufacturing (Assembly Line and Product Assemblies), Sales, Auto Auctions and more.