|
|
Anatomy of a SQL Server Injection Hack on the Show Today
Featured Article(s)
Writing efficient Stored Procedures - A Case Study
(By G.R. Preethiviraj Kulasingham) Performance optimization of Stored Procedures for developers. This article is a case study, which re-writes a stored procedure in different ways in order to optimize the performance.
New Video: SelectViews SQL Server Show
Today's show - we're looking at the automated SQL Server Injection that's going around. We've been tracking it in our own logs here at SSWUG and I put a segment in the show to specifically show you what's happening and how this may be getting through some of the more common filtering techniques out there. Sure, I'd love to get killer traffic on this show, but more than that, I hope you'll take a minute and watch; I tried to show exactly why it's getting through and what's being done. It's in the newsletter section of the show.
[Watch The Show]
The SQL injection issue is really substantial and something you need to understand before you can address it. This isn't your typical "type a character, see what the error is, tweak the hack, try again" type scenario. The reason it's succeeding so frequently in getting through is that it's using an approach that doesn't expose the keywords or other things people have filtered on in their applications. It slips right through. The hack uses a CAST statement and encodes the actual SQL, then decodes and executes the result. It's just lovely, really.
Anyway, all of this to say that I hope that if you have a minute, take a look at the show - see what it's all about and at the same time, it's a bit of an "Anatomy of a Hack." Here's the official show description:
SelectViews SQL Server Show
SQL Injection Dissection, Drive Tips for Performance, Upcoming Events and More. Also, Clustered Index Tips, Noise and News in the DB World, Discussions, Newsletter Feedback.
[Watch The Show]
Featured White Paper(s)
Easing the Migration to Microsoft SQL Server 2005
Many companies are eager to take advantage of Microsoft SQL Server 2005 and its notable business and technology benefits such... (read more)
SharePoint Customization Best Practices
In this paper, we will tackle a subject that has raised many questions and an equally large number of answers. How do I custo... (read more)
See you online!
Stephen Wynkoop,
Founder
Microsoft SQL Server MVP
swynk@sswug.org
|
|
Featured/New Products For Your Review
The following products are in the Product Directory, and may help in your use of your database engine. Take a look when you get
a minute.
* Embarcadero Technologies -
Professional-Grade Cross-Platform Database Tools
Find out about these and other products in the Product Directory.
|
Today's Articles
Note: 'Guest' articles below will be available for seven days to registered guests.
SQL Server Topics
Developer Topics
Oracle Topics
XML Topics
DB2 Topics
SSWUG.ORG Sponsors, Special Offers
| |
Thank you to our sponsors!
Special Member Offers
See the special member offers page for more information
Pay them a visit and let them know you heard about them on SSWUG.ORG!
|
SSWUG.ORG Free Software
| |
Software Free to use courtesy of SSWUG.ORG
- dbOrchestra - Community Editions - A versatile object browser with a Simple point and click interface to your SQL Tables, Views, and Stored Procedures (local or network). Point and clic...
- Embarcadero® EA/Studio™ Community Edition - Embarcadero EA/Studio Community Edition is a free standards-based business process modeling and conceptual modeling tool enabling business process mod...
- DataLinks for MS Access Only - DataLinks for Access only query tool allows business and IT users to quickly and easily access their Access databases. Writes SQL, easiest UI on the m...
- Free SQL Server Permissions Transfer - Idera SQLpermissions Save time and reduce errors when setting up SQL Server logins & permissions. SQLpermissions will generate customizable T-SQL sc...
- SQLsafe Freeware Edition - High performance SQL Server Backup & Recovery – 50% Faster than Native Backup Idera SQLsafe Freeware Edition is a free SQL Server database backup and...
- Free SQL Server Performance Dashboard - Idera Free SQL Check SQLcheck is an easy-to-use performance dashboard for SQL Server. Running as a handy and secure screensaver or on-demand, SQLchec...
Free Software Offers
See the free software page for more information
|
Help Needed!
| |
Some of your fellow members need some help - and we'll be sure to include your questions here as well. We'll see that you get answers!
Forum: SQL Server: SQL Server 2005Forum: SQL Server: Administration
When you post questions to the boards, they're included here in the newsletter. In addition,
the message board system can email you when answers to your questions have been posted. Ask away!
|
Summaries
| Writing efficient Stored Procedures - A Case Study
| |  (By G.R. Preethiviraj Kulasingham)
Performance optimization of Stored Procedures for developers. This article is a case stu... [more]
[Click Here to Read More...] [TOP] |
Column Order in a Composite Index
| | One of our readers asked 3 questions about composite indexes which we thought we would share with all of you:
Q1) For a co... [more]
[Click Here to Read More...] [TOP] |
Policy-based Management in SQL Server 2008 – Part II
| | (Yan Pan) As discussed in Part I, the execution mode of each policy is determined by the characteristics of the Management fa... [more]
[Click Here to Read More...] [TOP] |
Using Indexes to Bypass Locks
| | (Tal Olier) One of the issues you'll face with SQL Server is blocking which is caused by other processes that are holding loc... [more]
[Click Here to Read More...] [TOP] |
Using ASP.NET Application Services in Windows Applications
| | (Bipin Joshi) Since their introduction ASP.NET application services are popular and widely adopted means to implement members... [more]
[Click Here to Read More...] [TOP] |
Real-Time Progress Bar With ASP.NET AJAX
| | (Timothy Khouri) Due to the disconnected nature of the web, developers have often wondered how to display certain metrics suc... [more]
[Click Here to Read More...] [TOP] |
Save and Retrieve Images from the Database using ASP.NET 2.0 and ASP.NET 3.5
| | (Suprotim Agarwal) At some point or the other, we as ASP.NET developers, have faced the requirement of reading and writing im... [more]
[Click Here to Read More...] [TOP] |
.NET Tip: Sort an ArrayList Using a Custom Comparer Class
| | (Jay Miller) The Sort() method of the ArrayList class allows you to provide your own comparer. When you provide a comparison ... [more]
[Click Here to Read More...] [TOP] |
Oracle Enterprise Manager leverages multiple environments for pharmaceutical giant
| | (Barney Beal) When nurses enter rooms to administer medication at one of the 355 hospitals across North America served by McK... [more]
[Click Here to Read More...] [TOP] |
Index Scan or Full Table Scan: The “Magic” Number (Magic Dance)
| | (Richard Foote) What seems like ages ago, I listed 8 things you may not have known about indexes. Although I’ve since written... [more]
[Click Here to Read More...] [TOP] |
Triggers…
| | (Patrick Barel) I ran into an issue at a customer site where certain triggers were disabled in the database where they should... [more]
[Click Here to Read More...] [TOP] |
Cross-site XMLHttpRequest: Boon or Pandora's Box
| | (Daniel Rubio) Browsers have established themselves as the IT community's ubiquitous client, even though some still consider ... [more]
[Click Here to Read More...] [TOP] |
Improve the performance of your XML applications using Xerces-C++
| | (David A. Cargill and Khaled Noaman) XML is becoming a main staple in data exchange both between applications and on the Web.... [more]
[Click Here to Read More...] [TOP] |
Implementing SOA: Using Services
| | (Paul C. Brown) Services, on their own, provide no benefit. To get benefit from your services, you need to employ them as an ... [more]
[Click Here to Read More...] [TOP] |
How to Write Efficient SQL (Part 2)
| | (Troy Coleman) Last week I reviewed concepts and terms that are used to explain how DB2 filters and retrieves rows of data ba... [more]
[Click Here to Read More...] [TOP] |
Information architecture essentials, Part 7: Data-store design
| | (Benjamin Lieberman) Valuable business information should never be left sitting around. It should be organized and saved into... [more]
[Click Here to Read More...] [TOP] |
APAR Friday: Five for Friday
| | (Willie Favero) I'm back with my Friday APAR hunt. This week I thought I would concentrate a few HIPERs. They are more critic... [more]
[Click Here to Read More...] [TOP] |
|
Guest Articles [Top]
The article listings denoted as GUEST are random archive articles. Those articles are always available to dues-paying members, but are also available to guest newsletter subscribers for a period of 7 days from the release of this newsletter. Each newsletter features a new set of archive articles for each of the topics.
It's our hope that when you see the quality and range of articles in the archives, you'll see what a great value your SSWUG dues-paying membership really is.
Click Here to Activate Membership Today - it only takes a minute.
[ SQL Server ]
[ Oracle ]
[ DB2 ]
[ Open Source ]
[ XML ]
[ Developer ]
[ Join/Upgrade ]
[ Webcasts ]
[ Podcasts ]
[ Newsletter Archive ]
[ RSS/Feeds ]
[ About ]
[ Advertise ]
[ Contact ]
[ Privacy ]
[ Terms of Service ]
[ Link to SSWUG ]
[ List Server Archives ]
[ Recent Orig. Content ]
(c) 1997-2008, Bits on the Wire, Inc.
Some names and products covered by SSWUG are the registered trademarks of their respective owners.
The SQL Server Worldwide User's Group
8987 E. Tanque Verde #309-269
Tucson, AZ 85749 USA
|
