Recent Posts

Community

Email Notifications

Personal Links

Archives

Harry Waldron - IT Security

Security Developments, Software Updates and Best Practices

Microsoft Best Practices for preventing SQL Injection Attacks

Idea Microsoft has recently published a series of best practices to help developers build SQL code that is not susceptible to SQL injection attacks.

SQL injection attacks occur in applications that are poorly programmed. They are not a result of failures in the data base or supporting products.  When applications do not properly filter and control input data, there is a chance inputs can be manipulated, so that dangerous redirecting scripts may end up on the website

Once a web site is infected, the newly embedded script will then direct users to another dangerous website, that can automatically download malware on the user's PC.  While these attacks have been around for years, malware authors are now using newly automated approaches to find susceptible servers automatically and infect thousands of websites in a single day.   

IT developers have an inherent responsibility to protect the privacy and integrity of customer information. These articles are "must reads" for any IT developer, for greater assurances in building secure applications.

Microsoft Best Practices for preventing SQL Injection Attacks

Microsoft Security Vulnerability Research & Defense Blog - SQL Injection Attack
http://blogs.technet.com/swi/archive/2008/05/29/sql-injection-attack.aspx  
 
Nazim's IIS Security Blog - Filtering SQL injection from Classic ASP
http://blogs.iis.net/nazim/archive/2008/04/28/filtering-sql-injection-from-classic-asp.aspx 
 
Neil Carpenter's Blog - SQL Injection Mitigation: Using Parameterized Queries
http://blogs.technet.com/neilcar/archive/2008/05/21/sql-injection-mitigation-using-parameterized-queries.aspx 
http://blogs.technet.com/neilcar/archive/2008/05/23/sql-injection-mitigation-using-parameterized-queries-part-2-types-and-recordsets.aspx 
 
Michael Howard’s Blog -Giving SQL Injection the Respect it Deserves
http://blogs.msdn.com/sdl/archive/2008/05/15/giving-sql-injection-the-respect-it-deserves.aspx 
 
MSDN Article - Preventing SQL Injections in ASP
http://msdn.microsoft.com/en-us/library/cc676512.aspx 
 
Anti-Malware Engineering Team - When SQL Injections Go Awry, Incident Case Study
http://blogs.technet.com/antimalware/archive/2008/05/30/when-sql-injections-go-awry-incident-case-study.aspx 
 
A more general overview of SQL Injection attacks can also be here:
 
What are SQL Injection Attacks?
http://en.wikipedia.org/wiki/Sql_injection

Posted: May 31 2008, 01:28 PM by Harry Waldron | with 14 comment(s)

Comments

THE OFFICIAL BLOG OF THE SBS "DIVA" said:

While the default apps on a SBS 2003 (and upcoming SBS 2008) go through a SDL process so that I'm

# May 31, 2008 10:31 AM

MVPs said:

While the default apps on a SBS 2003 (and upcoming SBS 2008) go through a SDL process so that I'm

# May 31, 2008 11:17 AM

Nico said:

Microsoft has even gone so far as creating video primers on Hello Secure World: www.microsoft.com/hellosecureworld7  Worth noting, especially when you can't ever be too careful these days.

# June 2, 2008 1:01 PM

Harry Waldron - My IT Forums Blog said:

Microsoft has just enhanced a key IIS based security tool in response to the new wave of automated SQL

# June 21, 2008 5:32 PM

Harry Waldron - My IT Forums Blog said:

Microsoft has just enhanced a key IIS based security tool in response to the new wave of automated SQL

# June 21, 2008 5:37 PM

Harry Waldron - Microsoft MVP Blog said:

Microsoft has just enhanced a key IIS based security tool in response to the new wave of automated SQL

# June 21, 2008 5:37 PM

Wade Hilmo said:

The IIS team has some street smarts when it comes to security. We learned quite a few lessons the hard

# June 24, 2008 2:50 PM

iis said:

The IIS team has some street smarts when it comes to security. We learned quite a few lessons the hard

# June 24, 2008 3:29 PM

iis said:

The IIS team has some street smarts when it comes to security. We learned quite a few lessons the hard

# June 25, 2008 3:31 AM

Rovastar said:

A great selection of links but also check out.

which gives you more of a hackers prospective:

ferruh.mavituna.com/sql-injection-cheatsheet-oku

ha.ckers.org/sqlinjection

so you understanding about the sort of things they do.

You will also get a greater understanding of the differences in styles that hackers user for different databases (mysql, oracle, etc). although some commands are generic others can be tailored to attack the database platform.

(search for 'SQL injection cheat sheet' for more example of these)

Although SQL injection problems are foremost developers issues hosting admin need to be aware for IIS check out the different filters like urlscan 3:

blogs.technet.com/.../new-tools-to-block-and-eradicate-sql-injection.aspx

# June 25, 2008 4:34 AM

Harry Waldron - My IT Forums Blog said:

URL Scan 3.0 Beta - New version helps detect SQL Injection Attacks Microsoft has just enhanced a key

# June 27, 2008 7:35 AM

Harry Waldron - Microsoft MVP Blog said:

Microsoft has just enhanced a key IIS based security tool in response to the new wave of automated SQL

# June 27, 2008 7:35 AM

Harry Waldron - My IT Forums Blog said:

Microsoft has just enhanced a key IIS based security tool in response to the new wave of automated SQL

# June 27, 2008 7:36 AM

turkey said:

thanks you .. perfect docs

# August 1, 2008 6:34 AM