Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
parrot
Posting Yak Master
132 Posts |
 Posted - 2013-01-10 : 00:04:38
|
| After going through an experience of having my database infected with sql injection and then fixing the problem, I reviewed the log file and learned of some of the characters hackers use in sql injection. To prevent further attacks I added requestFiltering to my web.config file. It is placed within the <security> block as shown below: <requestFiltering> <denyUrlSequences> <add sequence="--"/> <add sequence="varchar"/> <add sequence="+exec"/> <add sequence="+declare"/> <add sequence="+cast"/> <add sequence="=cast"/> <add sequence="@@version"/> </denyUrlSequences> </requestFiltering>This code will stop any data in a url stream that contains the above characters. So a url that reads http://www.mywebsite.com?code=varchar(8000) will be rejected by the sever and will throw an error. However, I also went the extra step and edited for these characters in any input fields as well. Doing this in combination with using parameterized queries should stop most sql injection. |
|
|
visakh16
Very Important crosS Applying yaK Herder
52326 Posts |
Posted - 2013-01-10 : 00:30:19
|
| See other ways of stopping sql injection attacks------------------------------------------------------------------------------------------------------SQL Server MVPhttp://visakhm.blogspot.com/ |
 |
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2013-01-10 : 07:27:35
|
| Here's some more resources:http://msdn.microsoft.com/en-us/library/ff648339.aspxhttp://msdn.microsoft.com/en-us/magazine/cc163917.aspxI would even suggest not using the querystring for passing parameters, and only use form elements in the request header. This doesn't really make it more secure, but it helps identify any attackers that append text to a querystring.I just recently read an interesting injection article, I'll have to find and post it later. Best part is that the site being hacked is still up and vulnerable. |
|
|
|
robvolk
Most Valuable Yak
15732 Posts |
|
|
parrot
Posting Yak Master
132 Posts |
Posted - 2013-01-10 : 10:58:48
|
| I should also mention that if my program data validation routine detects suspect data, I capture the ip address associated with the input and send myself and email noting the time, ip address, data field name and data content. I also write this to an error log. This way I can add the ip address to a deny list in my web.config file after checking to see the geo location of the ip address. In my sql injection episode I found out the ip address was located in Germany. For those who want to know the offender's ip address it is 109.230.251.12. I added this ip address to my web.config file in the <security> block as follows: <ipSecurity> <add ipAddress="141.136.17.150" allowed="false" /> <add ipAddress="193.107.16.97" allowed="false" /> <add ipAddress="217.106.238.157" allowed="false" /> <add ipAddress="109.230.251.12" allowed="false" /> </ipSecurity>The above ip addresses are from Bulgaria, Russia, and Germany. Feel free to put them on your deny list. I would add all ip addresses from Russian block countries if I could but that is impossible to determine. |
|
|
|
|
|
|
Preventing sql injection