SQL Injection...restore, plug, repeat

Customer: Please restore my database
Kevin3NF: Sure thing...what happened?
Customer: SQL Injection...spam in my data
Kevin3NF: OK...have you plugged the holes in the application?
Customer: Not yet...but our site is down
Kevin3NF: Talk to you tomorrow.

Repeat ad nauseum...

You get no fries for bad coding practices. Matter of fact, you get drive-through service only. And your DB is now read-only!




Newest SQL Injection attack

I just watched part of the SSWUG show 106, where SQL Server MVP Stephen Wynkoop dissected the current SQL Injection attack that is propogating itself around the net. The 'cool' thing with this one is that instead of passing in SELECT, UPDATE, etc statements to your SQL Server, its doing a CAST of a binary string into an NVARCHAR 4000 data type. That binary string translates to an UPDATE statement that craps up all of your tables, as long as drive space is available.

So...if you are filtering on keywords, your filters will not work.

Move to stored procs...now.

I saw the tail end of this yesterday. The only reason my customer didn't suffer worse is that they had a database size cap of 150mb (shared SQL Server), and we started looking into the unexpected growth.

Take care out there!