Novick Software
SQL Server Consulting Design Programming Tuning

  andy novick is a sql server mvp



Defending SQL Server from SQL Injection Attack

SQL Injection attacks have emerged as the application security issue that creates the most data loss and web site defacement incidents passing cross-site scripting.  Defending SQL Server from SQL injection continues to be a problem for many applications.  This presentation will discuss the ways that SQL Server developers and DBA can harden their applications and servers.  The methods demonstrated include:

  • Protecting Dynamic SQL statements when they cant be eliminated.
  • Security configuration to minimize the vulnerable surface area
  • Using DML triggers to thwart many common attacks
  • Managing stored procedure privilege with the EXECUTE AS clause
  • Using DDL triggers to minimize vulnerabilities
  • The ineffectiveness of database and column encryption as defenses from SQL injection.

The SQL Server is one of the most vulnerable components of an application and one of the most frequently attacked.  Come hear about the techniques you can use to protect it from SQL injection attacks.

Download the slides about SQL Injection Attacks

Download the SQL examples from the SQL Injeciton attack presentation

Andrew Novick is a developer/consultant with 25 years in the computer industry and a focus on SQL Server and Microsoft .Net.  His practice includes designing databases, query optimization, analysis of performance problems, and building business applications.  His writings include the books Transact-SQL User-Defined Functions and SQL Server 2000 XML Distilled.  You can find additional articles on his web site:

Camp 1

Jan 24


Code Camp

Feb 28th






Personal Blog

New Tips:

Use dsinit to set the SQL Server instance for Windows Azure dev storage


Nov 7, '12
Loser: DB

Full Schedule