Oracle Consulting Oracle Training Oracle Support Development
Home
Catalog
Oracle Books
SQL Server Books
IT Books
Job Interview Books
eBooks
Rampant Horse Books
911 Series
Pedagogue Books

Oracle Software
image
Write for Rampant
Publish with Rampant
Rampant News
Rampant Authors
Rampant Staff
 Phone
 800-766-1884
Oracle News
Oracle Forum
Oracle Tips
Articles by our Authors
Press Releases
SQL Server Books
image
image

Oracle 11g Books

Oracle tuning

Oracle training

Oracle support

Remote Oracle

STATSPACK Viewer

Privacy Policy

 

   
  SQL Server Tips by Burleson

SQL Injection

SQL Injection is a hacking technique that consists of inserting code with input data. When that input is appended to a SQL query, the effect that was supposed to be a simple filtering becomes a different filtering where a logical expression becomes always true or it returns all data when it should not. There is also the possibility of executing arbitrary TSQL code.

This attack is performed in two situations:

  • To gain access to a server, usually a web server because most websites use a database for user authentication. By stealing the administrator password it might be possible to access tools that allow online administration of the server. The database server is also vulnerable because it might be possible to execute code or to obtain information to help cracking the SQL Server passwords.
  • To execute TSQL code that will cause a denial of service or to corrupt data, probably when the other type of attack fails. Users who access the database through a web application or any other indirect form should not have permissions that would allow extensive damage.

If you cannot or do not want to check the tests with ASP or PHP, you can still try the SQL injection methods explained in this section from SQL Query Analyzer by skimming through the web application sections and using the SP from the SQL injection in the dynamic SQL section.

Example: A web application that returns the products from the Northwind database with a certain category name submitted by any surfer with no authentication. After all, the page provides a search service and the users can define a filter for a SELECT statement and the data is not updated, inserted or deleted from the page.


The above book excerpt is from:

Super SQL Server Systems
Turbocharge Database Performance with C++ External Procedures

ISBN: 0-9761573-2-2
Joseph Gama, P. J. Naughter

 http://www.rampant-books.com/book_2005_2_sql_server_external_procedures.htm  

Linux Oracle commands syntax poster

ION Oracle tuning software

Oracle data dictionary reference poster



Oracle Forum

BC Oracle consulting support training

BC remote Oracle DBA   

 

   

 Copyright © 1996 -2016 by Burleson. All rights reserved.


Oracle® is the registered trademark of Oracle Corporation. SQL Server® is the registered trademark of Microsoft Corporation. 
Many of the designations used by computer vendors to distinguish their products are claimed as Trademarks
 

Hit Counter