||SQL Server Tips by Gama and Naughter
SQL Injection is a hacking technique that consists of inserting code
with input data. When that input is appended to a SQL query, the
effect that was supposed to be a simple filtering becomes a
different filtering where a logical expression becomes always true
or it returns all data when it should not. There is also the
possibility of executing arbitrary TSQL code.
This attack is performed in two situations:
- To gain access to a server, usually a web server because
most websites use a database for user authentication. By
stealing the administrator password it might be possible to
access tools that allow online administration of the server. The
database server is also vulnerable because it might be possible
to execute code or to obtain information to help cracking the
SQL Server passwords.
- To execute TSQL code that will cause a denial of service or
to corrupt data, probably when the other type of attack fails.
Users who access the database through a web application or any
other indirect form should not have permissions that would allow
If you cannot or do not want to check the tests with ASP or PHP,
you can still try the SQL injection methods explained in this
section from SQL Query Analyzer by skimming through the web
application sections and using the SP from the SQL injection in the
dynamic SQL section.
Example: A web application that returns the products from the
Northwind database with a certain category name submitted by any
surfer with no authentication. After all, the page provides a search
service and the users can define a filter for a SELECT statement and
the data is not updated, inserted or deleted from the page.
The above book excerpt is from:
Turbocharge Database Performance with C++ External Procedures
Joseph Gama, P. J. Naughter