Call now: (800) 766-1884  



 Home


 SQL Server Tips
 SQL Server Training

 SQL Server Consulting
 SQL Server Support
 SQL Server Remote DBA



 Articles
 Services
 SQL Server Scripts
 Scripts Menu



 

 

 

   
  SQL Server Tips by Gama and Naughter

Ideas to prevent script injection

The best way to avoid this security issue is to use XP_DISKLOG to log into a text file, instead of running XP_CMDSHELL. Checking the length of the input will prevent attacks that take advantage of truncating the input. Filtering invalid characters will help by not allowing certain keywords as part of the input and if such incidents are recorded it will also work as a forensic tool.

Buffer overflows

This section describes the buffer overflow exploit, how to use the debugger in detail and how to look for security issues in the code.
The most common hacking attack or, at least, the most heard of is the buffer overflow.

There are other techniques: heap overflow, integer overflow, format string exploitation, etc but they are not as "famous".

Poor programming and even poorer testing cause a buffer overflow. The flaw on the code is just sitting there, waiting for a hacker to exploit it. The code will fail to prevent data input from exceeding the allocated buffer size and leaking into the adjacent memory. If effectively exploited it should run arbitrary code sent with the data input.

xp_buffov

This XP has one call to function “test” which has one local variable with a fixed length (ten bytes) and there is some limited protection by rejecting input data over twenty bytes of length. However, the buffer in the function is only ten bytes long and it will suffer a buffer overflow.


The above book excerpt is from:

Super SQL Server Systems
Turbocharge Database Performance with C++ External Procedures

ISBN: 0-9761573-2-2
Joseph Gama, P. J. Naughter

 http://www.rampant-books.com/book_2005_2_sql_server_external_procedures.htm  

 

Burleson Consulting Remote DB Administration


 

 


 

 

 

 

 
Burleson is the America's Team

Note: The pages on this site were created as a support and training reference for use by our staff of DBA consultants.  If you find it confusing, please exit this page.

Errata?  SQL Server technology is changing and we strive to update our SQL Server support information.  If you find an error or have a suggestion for improving our content, we would appreciate your feedback.  Just  e-mail:and include the URL for the page.
 


Burleson Consulting
SQL Server database support

 

Copyright © 1996 -  2013 by Vaaltech Web Services. All rights reserved.

Hit Counter