MSMVPS.COM

The Ultimate Destination for Blogs by Current and Former Microsoft Most Valuable Professionals.
Welcome to MSMVPS.COM Sign in | Help
in Search
Home Blogs Media Groups

Harry Waldron - Microsoft MVP Blog

Security News and Best Practices for corporate and home users

Microsoft Best Practices for preventing SQL Injection Attacks

Idea Microsoft has recently published a series of best practices to help developers build SQL code that is not susceptible to SQL injection attacks.

SQL injection attacks occur in applications that are poorly programmed. They are not a result of failures in the data base or supporting products.  When applications do not properly filter and control input data, there is a chance inputs can be manipulated, so that dangerous redirecting scripts may end up on the website

Once a web site is infected, the newly embedded script will then direct users to another dangerous website, that can automatically download malware on the user's PC.  While these attacks have been around for years, malware authors are now using newly automated approaches to find susceptible servers automatically and infect thousands of websites in a single day.   

IT developers have an inherent responsibility to protect the privacy and integrity of customer information. These articles are "must reads" for any IT developer, for greater assurances in building secure applications.

Microsoft Best Practices for preventing SQL Injection Attacks

Microsoft Security Vulnerability Research & Defense Blog - SQL Injection Attack
http://blogs.technet.com/swi/archive/2008/05/29/sql-injection-attack.aspx  
 
Nazim's IIS Security Blog - Filtering SQL injection from Classic ASP
http://blogs.iis.net/nazim/archive/2008/04/28/filtering-sql-injection-from-classic-asp.aspx 
 
Neil Carpenter's Blog - SQL Injection Mitigation: Using Parameterized Queries
http://blogs.technet.com/neilcar/archive/2008/05/21/sql-injection-mitigation-using-parameterized-queries.aspx 
http://blogs.technet.com/neilcar/archive/2008/05/23/sql-injection-mitigation-using-parameterized-queries-part-2-types-and-recordsets.aspx 
 
Michael Howard’s Blog -Giving SQL Injection the Respect it Deserves
http://blogs.msdn.com/sdl/archive/2008/05/15/giving-sql-injection-the-respect-it-deserves.aspx 
 
MSDN Article - Preventing SQL Injections in ASP
http://msdn.microsoft.com/en-us/library/cc676512.aspx 
 
Anti-Malware Engineering Team - When SQL Injections Go Awry, Incident Case Study
http://blogs.technet.com/antimalware/archive/2008/05/30/when-sql-injections-go-awry-incident-case-study.aspx 
 
A more general overview of SQL Injection attacks can also be here:
 
What are SQL Injection Attacks?
http://en.wikipedia.org/wiki/Sql_injection

Only published comments... May 31 2008, 01:28 PM by Harry Waldron

Comments

 

THE OFFICIAL BLOG OF THE SBS "DIVA" said:

While the default apps on a SBS 2003 (and upcoming SBS 2008) go through a SDL process so that I'm

May 31, 2008 10:31 AM
 

MVPs said:

While the default apps on a SBS 2003 (and upcoming SBS 2008) go through a SDL process so that I'm

May 31, 2008 11:17 AM
 

Nico said:

Microsoft has even gone so far as creating video primers on Hello Secure World: www.microsoft.com/hellosecureworld7  Worth noting, especially when you can't ever be too careful these days.

June 2, 2008 1:01 PM
 

Harry Waldron - My IT Forums Blog said:

Microsoft has just enhanced a key IIS based security tool in response to the new wave of automated SQL

June 21, 2008 5:32 PM
 

Harry Waldron - My IT Forums Blog said:

Microsoft has just enhanced a key IIS based security tool in response to the new wave of automated SQL

June 21, 2008 5:37 PM
 

Harry Waldron - Microsoft MVP Blog said:

Microsoft has just enhanced a key IIS based security tool in response to the new wave of automated SQL

June 21, 2008 5:37 PM
 

Wade Hilmo said:

The IIS team has some street smarts when it comes to security. We learned quite a few lessons the hard

June 24, 2008 2:50 PM
 

iis said:

The IIS team has some street smarts when it comes to security. We learned quite a few lessons the hard

June 24, 2008 3:29 PM
 

iis said:

The IIS team has some street smarts when it comes to security. We learned quite a few lessons the hard

June 25, 2008 3:31 AM
 

Rovastar said:

A great selection of links but also check out.

which gives you more of a hackers prospective:

ferruh.mavituna.com/sql-injection-cheatsheet-oku

ha.ckers.org/sqlinjection

so you understanding about the sort of things they do.

You will also get a greater understanding of the differences in styles that hackers user for different databases (mysql, oracle, etc). although some commands are generic others can be tailored to attack the database platform.

(search for 'SQL injection cheat sheet' for more example of these)

Although SQL injection problems are foremost developers issues hosting admin need to be aware for IIS check out the different filters like urlscan 3:

blogs.technet.com/.../new-tools-to-block-and-eradicate-sql-injection.aspx

June 25, 2008 4:34 AM
 

Harry Waldron - My IT Forums Blog said:

URL Scan 3.0 Beta - New version helps detect SQL Injection Attacks Microsoft has just enhanced a key

June 27, 2008 7:35 AM
 

Harry Waldron - Microsoft MVP Blog said:

Microsoft has just enhanced a key IIS based security tool in response to the new wave of automated SQL

June 27, 2008 7:35 AM
 

Harry Waldron - My IT Forums Blog said:

Microsoft has just enhanced a key IIS based security tool in response to the new wave of automated SQL

June 27, 2008 7:36 AM
 

turkey said:

thanks you .. perfect docs

August 1, 2008 6:34 AM

Leave a Comment

(required) 
(optional)
(required) 
Submit

This Blog

Syndication

Recent Posts

Archives

Personal Links


Copyright © is the original authors. Blog site is an independent site not sponsored by Microsoft. The Yoda blog server and the Brianna SQL server would like to thank www.ownwebnow.com and www.exchangedefender.com. They wouldn't be here and broadcasting without the generosity of Vlad Mazek and his companies.

Powered by Community Server (Commercial Edition), by Telligent Systems