Novick Software
SQL Server Consulting Design Programming Tuning

  andy novick is a sql server mvp

 

 

Defending SQL Server from SQL Injection Attack

SQL Injection attacks have emerged as the application security issue that creates the most data loss and web site defacement incidents passing cross-site scripting.  Defending SQL Server from SQL injection continues to be a problem for many applications.  This presentation will discuss the ways that SQL Server developers and DBA can harden their applications and servers.  The methods demonstrated include:

  • Protecting Dynamic SQL statements when they cant be eliminated.
  • Security configuration to minimize the vulnerable surface area
  • Using DML triggers to thwart many common attacks
  • Managing stored procedure privilege with the EXECUTE AS clause
  • Using DDL triggers to minimize vulnerabilities
  • The ineffectiveness of database and column encryption as defenses from SQL injection.

The SQL Server is one of the most vulnerable components of an application and one of the most frequently attacked.  Come hear about the techniques you can use to protect it from SQL injection attacks.

Download the slides about SQL Injection Attacks

Download the SQL examples from the SQL Injeciton attack presentation

Andrew Novick is a developer/consultant with 25 years in the computer industry and a focus on SQL Server and Microsoft .Net.  His practice includes designing databases, query optimization, analysis of performance problems, and building business applications.  His writings include the books Transact-SQL User-Defined Functions and SQL Server 2000 XML Distilled.  You can find additional articles on his web site: http://www.NovickSoftware.com

Data
Camp 1

Jan 24
2009
 

 

NH
Code Camp


Feb 28th
2009
 

 

 

                      

 


RSS as HTML

Personal Blog

 
New Tips:

Use dsinit to set the SQL Server instance for Windows Azure dev storage

Upcoming
Presentations:

SQL PASS
Nov 7, '12
Biggest
Loser: DB
Edition


Full Schedule