http://blogs.iis.net/tomwoolums/archive/2008/08/29/protection-from-sql-injection.aspxI just finished watching a short video on YouTube of a 13-year-old kid showing people how to hack into a retail Web site. It only took him a couple of minutes and one simple technique to gain access to their customers&#8217; personal information&#8212;includingenCommunityServer 2007 SP1 (Build: 20510.895)http://blogs.iis.net/tomwoolums/archive/2008/08/29/protection-from-sql-injection.aspx#2594158Tue, 02 Sep 2008 06:09:05 GMT50bcf3b4-f6fe-4638-adff-0c150e922e99:2594158bholyfield<p>URLScan is a great defense mechanism for web server attacks, but I have found that it is not flexible enough to defend against web application-level attacks like SQL Injection. &nbsp; The group I work with just released a free module for IIS (called SPF) that provides a flexible mechanism for blocking malicious requests. &nbsp;It provides coverage options for Query Strings, POST data and Cookies (where as URL Scan is limited to just Query Strings). &nbsp;It also supports use of regular expressions to define malicious input sequences.</p> <p>SPF for IIS is available for free and can be downloaded from our website: <a rel="nofollow" target="_new" href="http://www.gdssecurity.com/l/b/category/tools/">www.gdssecurity.com/.../tools</a></p> <p>You can also find out more about it from the following Blog post: &nbsp;<a rel="nofollow" target="_new" href="http://www.gdssecurity.com/l/b/2008/08/22/iis-secure-parameter-filter-spf-released/">www.gdssecurity.com/.../iis-secure-parameter-filter-spf-released</a></p> <img src="http://blogs.iis.net/aggbug.aspx?PostID=2594158" width="1" height="1">http://blogs.iis.net/tomwoolums/archive/2008/08/29/protection-from-sql-injection.aspx#2592257Mon, 01 Sep 2008 07:24:21 GMT50bcf3b4-f6fe-4638-adff-0c150e922e99:2592257Anonymous<p>Thanks guys. Very helpful.</p> <img src="http://blogs.iis.net/aggbug.aspx?PostID=2592257" width="1" height="1">http://blogs.iis.net/tomwoolums/archive/2008/08/29/protection-from-sql-injection.aspx#2590946Sat, 30 Aug 2008 23:55:47 GMT50bcf3b4-f6fe-4638-adff-0c150e922e99:2590946Anonymous<p>If a site is written correctly SQL injection should not be an issue at all. The basic steps that should be taken include...</p> <p>1. Always use parameterised Queries or Stored Procedures.</p> <p>2. The SQL login used by the scripts in the site should only have access to do what is required and nothing more. For example if the site user only requires access to limited sub-set of stored procedures, ensure that these stored procedures are all it can access.</p> <p>All the user input validation in the world cannot fully protect against SQL injection. However if you religiously follow these 2 basic basic principals it will.</p> <p>Basically the only reason SQL injection works, is because sites dynamically create arbitrary SQL using hard coded strings combined with user entered data and pass. The problem here is that there's always the possibility that the user entered data can contain SQL commands.</p> <p>If instead you use parameterised queries then the user entered data is only ever treated as data, never SQL commands, so basically it can contain whatever it likes and it wont be harmful.</p> <img src="http://blogs.iis.net/aggbug.aspx?PostID=2590946" width="1" height="1">