Chapter 8. Securely Accessing Databases

At some point, it is likely your Web application will need to use a database. And, as soon as you introduce a database, you introduce a new a set of potential vulnerabilities.

In this chapter you will learn about the following:

  • How simple data queries can expose your data

  • How to safely query databases

  • How to secure your SQL Server database

The vulnerability described in this chapter is known as SQL injection. It is part of a family of injection vulnerabilities that attacks can use to "inject" extra syntax into external commands.

It is an extremely common problem on the Web. In June 2008, tens of thousands of sites were compromised via SQL injection, including those of the security vendor Computer Associates. The attack injected commands that caused the applications to append JavaScript to every page. This JavaScript used a two-year old Windows vulnerability to infect visitors to the site with malware. You can read further details at http://www.computerworld.com.au/article/202731/mass_hack_infects_tens_thousands_sites. The attack did not use a vulnerability in ASP.NET or SQL Server, but rather in the application running on each Web site.

Because this book is firmly focused on ASP.NET and the Microsoft technology stack, the SQL injection attacks are demonstrated on Microsoft SQL Server. However, nearly all database servers are vulnerable to injection attacks. The mitigations in this chapter are equally applicable to Oracle, PostgreSQL, and, to a lesser ...

Get Beginning ASP.NET Security now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial