SQL Injection archives - SQL Server with Mr. Denny
Home > IT Blogs > SQL Server with Mr. Denny >

SQL Server with Mr. Denny:

SQL Injection

Jan 2 2009   8:46PM GMT

Mirroring isn’t a backup solution



Posted by: mrdenny
Backup & recovery, Database security, SQL Injection, JournalSpace.com, SecurityFightClub

In case you live under a rock and haven’t heard about Journalspace.com’s little mistake, they have gone out of business due to a database problem.  Here’s a screenshot in case the site is down when you look at it.

In a nutshell it appears that they were relying on a RAID1 array as the database backup.  While we see this all the time in small database shops as noted on /. this site has been up since 2002 and had an Alexa page rank of 106,881 with 14k monthly visitors (according to Quantcast).  For a site so large to be making such a simple mistake is just unacceptable. Continued »

AddThis Social Bookmark Button     4 Comments     RSS Feed     Email a friend

Oct 1 2008   11:00AM GMT

T/SQL Code to remove SQL Injection Values from your tables



Posted by: mrdenny
SQL Injection, T/SQL

With SQL Injection Attacks being all the rage these days, I’ve been asked a couple of times for T/SQL code to clean up the database.

So I threw this code together to clean up the data. This code will clean all the character and uni-code columns in all the user defined tables in the system. You’ll need to be dbo or sysadmin to run this without error. If you have TEXT or NTEXT columns it will through an error for those columns. Cleaning TEXT and NTEXT columns is a little more complex as you can’t use the REPLACE function on a TEXT or NTEXT datatype.


DECLARE @sql NVARCHAR(4000)
DECLARE @InsertedValue NVARCHAR(1000)
SET @InsertedValue = 'The Script tags which were inserted'
DECLARE cur CURSOR FOR
  	select 'update [' + sysusers.name + '].[' + sysobjects.name + ']
  		set [' + syscolumns.name + '] = replace([' + syscolumns.name + '], ''' + @InsertedValue + ''', '''')'
  	from syscolumns
  	join sysobjects on syscolumns.id = sysobjects.id
  		and sysobjects.xtype = 'U'
  	join sysusers on sysobjects.uid = sysusers.uid
  	where syscolumns.xtype in (35, 98, 99, 167, 175, 231, 239, 241, 231)
  OPEN cur
  FETCH NEXT FROM cur INTO @sql
  WHILE @@FETCH_STATUS = 0
  BEGIN
  	exec (@sql)
  	FETCH NEXT FROM cur INTO @sql
  END
  CLOSE cur
  DEALLOCATE cur

Hopefully you find this useful. If you need code for TEXT or NTEXT columns just post a comment and I’ll throw something together.

This code will work on SQL 2000 and up (it’ll probably work on SQL 7 as well, but I don’t have a SQL 7 machine to test against).

Denny

AddThis Social Bookmark Button     2 Comments     RSS Feed     Email a friend

Jun 30 2008   11:00AM GMT

New Article: Secure SQL Server from SQL injection attacks



Posted by: mrdenny
Security, SQL Injection, Attack Prevention

An article that I wrote about securing your SQL Server from SQL Injection attacks was just published.  It covers information from both a DBAs point of view and a .NET developers point of view.

Denny

AddThis Social Bookmark Button     0 Comments     RSS Feed     Email a friend