I want to initiate a Topic "SQL Injection".
SQL Injection : Armed with advanced server-side technologies like ASP.NET and powerful database servers such as Microsoft and SQL Server,
developers are able to create dynamic, data-driven Web sites with incredible ease. But the power of ASP.NET and SQL can
easily be used against you by hackers mounting an all-too-common class of attack—the SQL injection attack.
SQL Injection : SQL injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL
commands through a Web application for execution by a backend database. Attackers take advantage of the fact that programmers
often chain together SQL commands with user-provided parameters, and can therefore embed SQL commands inside these parameters.
The result is that the attacker can execute arbitrary SQL queries and/or commands on the backend database server through
the Web application.
The BAsic Idea :
The basic idea behind a SQL injection attack is this: you create a Web page that allows the user to enter text into a textbox that will be used to execute a query against a database. A hacker enters a malformed SQL statement into the textbox
that changes the nature of the query so that it can be used to break into, alter, or damage the back-end database.
My Problem :
Presently i am testing a ASP.NET application + SQL Server , can any body suggest me how to make sure my Application is safe from sql injection
??? what's the practical approach ........
Thanx JAson that's the matter mentioned to start the topic is from MSDN only , all those who are Using MS tech know this well , my question remains the same.
If some one have a better/appropriate answer to my question ... ny type of help ( link /white paper/article ) plz reply. Thanx again,
sorry i 4gt to mention , i am a QA don't have much knowledge of SQL so plz enlighten me in a ligh language ; as a tester/QA how can i make sure that my application is SQL injection free , thanx again [img]images/icons/blush.gif[/img] )
This is a wonderful topic. My current employer has to worry about this. We also operate in a SAS70 environment with some SOX worries. This becomes a big issue since our database is SQL based and we serve many clients via the web.
While the link shown below is not exact on the topic, it is one of the issues we have dealt with. Memory tells me that the link might even discuss the specifics of SQL as well as the other content.
We have done a fair amount of work to plug security holes. SQL, printers, cross site scripting, phishing, and many others. We had to look both internally and externally to discover all of the threats .
Anyway the article is specific to cross site scripting, but covers a whole lot more. It can be found at Web Security . I bet that there may be other articles associated with the site as well.
Hopefully there will be more response to this topic.