An SQL Injection Attack is probably the easiest attack to prevent, while being one of the least protected against forms of attack. The core of the attack is that an SQL command is appended to the back end of a form field in the web or application front end (usually through a website), with the intent of breaking the original SQL script and then running the SQL script that was injected into the form field. This SQL injection most often happens when you have dynamically generated SQL within your front-end application. These attacks are most common with legacy Active Server Pages (ASP) and Hypertext Preprocessor (PHP) applications, but they are still a problem with ASP.NET web-based applications.
The core reason behind an SQL Injection attack comes down to poor coding practices both within the front-end application and within the database stored procedures. Many developers have learned better development practices since ASP.NET was released, but SQL Injection is still a big problem between the number of legacy applications out there and newer applications built by developers who didn’t take SQL Injection seriously while building the application.
SQL Injection attacks is just one of the many attack vectors which are talked about in Securing SQL Server 2nd Edition. The worst part about SQL Injection Attacks is that they are just about impossible for the database administrator to resolve by themselves. It takes a coordinated effort between the database administrator, the database developer and the application developer to ensure that the application and database aren’t exposed to SQL Injection attacks, while it takes just a single person making a single mistake to leave a hole open that can be exploited via a SQL Injection attack.
In Chapter 6 we dive into what exactly a SQL Injection attack is, why all the hacks and scripts that people try and use don’t work, and we find the proper way to secure the application to ensure that the application isn’t open to SQL Injection attacks any more. In addition to this one attack vector, we look at many of the other ways which people can try and get access to the SQL Server databases and the wealth of information that they contain.
|Securing SQL Server, 2nd Edition. This book explores the potential attack vectors someone can use to break into your SQL Server database as well as how to protect your database from these attacks. Written by author Denny Cherry and published by Syngress.|