SQL Server with Mr. Denny

December 27, 2007  8:00 AM

Avoiding SQL Injection Attacks

Denny Cherry Denny Cherry Profile: Denny Cherry

The most common way for people to insert invalid data or cause damage to your database is through what is called a SQL Injection Attack.  This is when malicious code is placed within the responses which are expected and that code is not caught and it instead executed.  Depending on what level of access to the SQL Server your application account has will determine how successful the injection attack will be.

There are ways to protect your self.  The first and most important is that the account which the application uses to connect to the database should have the least set of rights necessary to do it’s job.  Don’t make the account dbo or sysadmin just so that everything works correctly without you having to modify the rights when you add objects.  The second requires your front end developers (the ASP, .NET, etc folks) to understand the potential problem so that they code the application in such a manor that the risk is reduced or removed.

(Please keep in mind that I’m not an application coder so my application code shown below may not be perfect.)

If they use in-line T/SQL commands such as this:

dim v_ado, v_sql, v_conn
v_conn = "Provider=sqloledb;Data Source=sqlserver;Initial Catalog=AdventureWorks;User ID=UserName;Password=password;"
v_sql = "exec usp_Something @var1='" & request.form("Var1") & "', @var2='" & request.form("Var1")
set v_ado = CreateObject("ADODB.RecordSet")
on error resume next
v_ado.open v_sql, v_conn, 3, 3

Then you are open to an injection attack.  This is because I can simply put “‘; SELECT * FROM sys.tables” as one of the form fields which I am submitting back to you and my SELECT statement will be executed against your SQL Server.  Depending on how your rights are setup will then determine how successful my command is.  The configuration of your UI will then determine what data if any is returned back to me through the UI.  If I find that I have rights to do stuff and I can get the UI to return data to my I can then have the SQL Server return me your customer data, or if I’m feeling like causing you some headaches I can drop all your tables by using the correctly crafted code.

The best way to not be open to these attacks is to use parametrized code on the front end.  This allows you to pass in your variables but without leaving the site open to attack as a T/SQL command isn’t passed directly to the SQL Server.  This is done using the technique shown here.

Dim v_ConnString As String
v_ConnString = "Server=servername;Database=AdventureWorks;uid=username;pwd=password;"
Dim v_Connection As New SqlConnection(v_ConnString)

Dim v_Command As New SqlCommand("sp_helpdb", v_Connection)
v_Command.Parameters("var1").Value = request.form("Var1")
v_Command.CommandType = CommandType.StoredProcedure

If your developers insist on using the first method all is not lost.  There is still a method which can be used to help protect the database.  Each value which is returned from the end user has to be validated.  Any single quote values should be replaced with two single quote values.  This way anything which the malicious code executor tries to push through is turned back into a string value.  Also all inputs regardless of data type should be surrounded by single quotes.  If this isn’t done then when passing in a number value the attacker can easily run there own code without having to get caught by the single quote check.

dim v_ado, v_sql, v_conn
v_conn =
"Provider=sqloledb;Data Source=sqlserver;Initial Catalog=AdventureWorks;User ID=UserName;Password=password;"
v_sql = "exec usp_Something @var1=" & request.form("Var1") & ", @var2='" & request.form("Var1")
set v_ado = CreateObject("ADODB.RecordSet")

on error resume next
v_ado.open v_sql, v_conn, 3, 3

If I then set the value of the Var1 form element to “6; select * from sys.tables” I will be able to query all the tables and my code won’t ever be caught by the single quote check.

Unforunately once the data has been submitted to the database, there isn’t much which can be done within SQL to decide is there is malicious code within the string.  Mostly because your stored procedure probably won’t ever see the malicious code.  The attacker will terminate the stored procedure and run their command after (using the technique I showed above) so any potential checking that you did within the procedure won’t do anything.

These techniques are not foolproof.  The best protection method against an injection attack is to parametrized code method shown above.  No matter what the attacker places in the form fields it won’t be executed as the engine (ASP, .NET, JSP, PHP, etc) will simply take the value and add it as a parameter to the procedure no matter how the attacker tries to escape out to run there own code.  Protection the database from an injection attack is a shared responsibility between the DBA and the front end developer.  Neither person or team should try to put the entire responsibility on the other team.  DBAs need to make sure that object rights are as minimal as possible, and front end developers need to make sure that the commands never get sent to the database in the first place.

Have you seen any other techniques which can be used to protect the database.  Share them in the comments below.


December 19, 2007  8:00 AM

Microsoft SoCal Code Camp Comming Up

Denny Cherry Denny Cherry Profile: Denny Cherry

The Microsoft Code camp is coming upon us shortly.

I’ve submitted three sessions (so far) to the organizers of the code camp.  They’ve told me that odds are I’ll be able to do all three sessions.  I’ve tagged all my sessions with SQL Server to make them easier to find.

For those in Southern California (or anyone who’s looking for an excuse to come to lovely Fullerton Community college during January) check out the site http://www.socalcodecamp.com/.

 For those looking for an excuse to come from out of the area, while the Midwest and back east a buried in snow and cold in January, Southern California is usually somewhere in the 60s or 70s.

See you there.


December 17, 2007  8:00 AM

Microsoft Announces SQL 2008 Launch Event

Denny Cherry Denny Cherry Profile: Denny Cherry

Microsoft has announced the schedule for the SQL 2008 launch event.

 You can register here.

The official launch is being held in Los Angeles this time around.  I’ll be there, hopefully you will there as well.


December 15, 2007  5:38 AM

New Article: SQL Server encryption vs. hashing for data security

Denny Cherry Denny Cherry Profile: Denny Cherry

I’ve published a new tip over on SearchSQLServer.com entitled “SQL Server encryption vs. hashing for data security“.

(It was published a couple of days ago, I just didn’t get notice until today.)


December 13, 2007  8:00 AM

So what’s the difference between null and a blank field

Denny Cherry Denny Cherry Profile: Denny Cherry

There is always a discussion going on somewhere over having NULL values in a database.  Some people (such as myself) are fine with NULL values.  Some people don’t like having NULL values in there database for some reason.  I’ve heard all sorts of reasons; “The screw up performance”, “They are hard to deal with”, “I like using a default value better”, “Default values are easier to work with”.

The performance one is just bunk.  NULL values are indexed just like any other value.

The rest of the reasons to not use NULL values ignore the fact that a NULL value is a perfectly legit value for some fields.  Not all fields should allow a NULL value to be placed in them.  If you are building a shopping cart and have a line items table, the Quantity and Price fields probably shouldn’t allow nulls as you should know the price and quantity when creating the invoice.  However in the same shopping card application the users phone number may need to allow NULL values.

Something which is key to remember about NULL values is that NULL doesn’t mean nothing.  It means unknown.  There may be a value, there may not, we simply do not know what that value is.  Putting in some default value will then put a value on the field when there shouldn’t be.  A great example which I read recently involved a hypothetical database at a blood bank.  A person comes in needing blood.  They are entered into the system but the recipients blood type isn’t known.  If you put in a default value of a blank value when you go to query the supply table, if there are pints of blood which have not been typed they will also have a blank value (as that is your standard default value).  You’ll get a match when you run the query and possibly be giving the recipient blood which is of the wrong type.  Now if you were using NULL values in the database the query would return no matching values as NULL <> NULL (under the default settings of Microsoft SQL Server).  Granted we should be able to trust that the person give the recipient the blood would check the typing, but would you rather trust a person or the computer.  People are overworked and usually underpaid, and nurses and doctors make simple mistakes just like the rest of us.  Personally I’d rather know that the system wouldn’t find a match rather than have to worry that I’d be getting the wrong type of blood.

If you really want to display that default value when the data is returned that’s what the ISNULL system function is for.  This way you don’t have to write long case statements around each field which allows NULL.

NULL values have there place, just like data does.  NULL values don’t mean that we don’t care about the data, it means that we simply don’t know the value of the data as of yet.  It shows that we care about the system and the people using it.  How annoying is it to look at a form which is full of default values and having to read through all of them instead of simply looking at the ones which are blank.

December 10, 2007  8:00 AM

Temp Tables, Table Variables, and CTEs

Denny Cherry Denny Cherry Profile: Denny Cherry

There are some major differences between temp tables, table variables and common table expressions (CTEs).  Some of the big differences are:

Temp Tables vs. Table Variables

  1. SQL Server does not place locks on table variables when the table variables are used.
  2. Temp tables allow for multiple indexes to be created
  3. Table variables allow a single index the Primary Key to be created when the table variable is declared only.  There is an exception to this, that if you can create the index inline, for example by creating a unique constraint inline as shown in the comments.  However these indexes (and the table variable in general) will always be assumed to have 1 row in them, no matter how much data is within the table variable.
  4. Temp tables can be created locally (#TableName) or globally (##TableName)
  5. Table variables are destroyed as the batch is completed.
  6. Temp tables can be used throughout multiple batches.
  7. Temp tables can be used to hold the output of a stored procedure (temp tables will get this functionality in SQL Server 2008).

Table variables and Temp Tables vs. CTEs

  1. CTEs are used after the command which creates them.
  2. CTEs can be recursive within a single command (be careful because they can cause an infinite loop).
  3. Table variables and Temp Tables can be used throughout the batch.
  4. The command before the CTE must end with a semi-colon (;).
  5. As Temp tables and table variables are tables you can insert, update and delete the data within the table.
  6. CTEs can not have any indexes created on them, source tables much have indexes created on them.

If you can think of anything that I’ve missed, feel free to post them in the comments.


December 5, 2007  8:00 AM

A well timed code freeze is critical to keeping your sanity.

Denny Cherry Denny Cherry Profile: Denny Cherry

Doing a code freeze at this time of year can be crucial to keeping your sanity this time of year.  Often times the business unit likes to push out last minute changes before the year end.  This often means pushing last minute code (which as everyone knows isn’t always perfect) which can lead to unpleasant little phone calls from the business or the NOC in the middle of holiday festivities.

Do your self and your family a favor, push for a code freeze until after the new year.  The developers will thank you, the business with hate you (but really what else is new).  I like about a three week code freeze (emergency bug fixes are except, but they have to actually be bug fixes, and they have to be an emergency) starting about December 15 ending about January 3 (depending on when the weekends fall).

It can be tough to get a code freeze implemented at first.  But after the first year with the code freeze everyone will want to go it the next year.


December 3, 2007  8:00 AM

SQL 2008 November CTP

Denny Cherry Denny Cherry Profile: Denny Cherry

We’ll I’ve finely gotten around to installing the SQL 2008 November CTP.  While walking through the installer I have seen some excellent changes.  Not only is the option to change the paths of the data files no longer hidden, there are more than just two options.  There are at least 7 paths that you get to specify while installing.  The first one is the Shared component directory.  This appears to be the base path where all your binarys will be based off of.

 Next you get the Instance root directory.  This is where the system database files will be based off of, so make sure that you don’t point this to the C drive is you want the system databases on another drive.

A couple of screens later you get to set 6 install paths.  The first is the data root directory.  This changes the base path for all the others options.  The others are the User database folder, user log database folder, tempdb data folder, tempdb log folder, and the backup directory.

This amount of flexability in the installer is a first, and it’s a welcome change.  Look for more posts, tips and articles about SQL Server 2008 in the comming weeks and months up till the release.


November 30, 2007  8:00 AM

New Article: Tricks to increase SQL Server query performance

Denny Cherry Denny Cherry Profile: Denny Cherry

I’ve published a new tip over on SearchSQLServer.com entitled “Tricks to increase SQL Server query performance“.


November 28, 2007  7:38 AM

What’s up with the N in front of string values?

Denny Cherry Denny Cherry Profile: Denny Cherry
DNS, Firewalls, Migration, Reporting

If you have looked at pretty much any Microsoft provided T/SQL code you have probably seen an N in front of a string value when setting a variable much like this.

FROM sys.databases
WHERE name = N'master'

What this N does is tell the SQL Server that the data which is being passed in is uni-code and not character data.  When using only the Latin character set this is not really needed.  However if using characters which are not part of the basic Latin character set then the N is needed so that SQL knows that the data being given it is uni-code data.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: