When we compare database servers with Web servers, we find that Web servers are amazingly more secure than database servers. This isn't simply a question of more functionality; Web servers hang out there on the Internet and database servers are buried deep behind firewalls in the core of the network. Consumers generally demand that their Web servers be secure and are, bizarrely, more forgiving when it comes to their databases. After reading this chapter, we hope you will share the opinion that database administrators (DBAs) should care a little less about speed and a little more about protecting their vital assets: data. Our vendors will provide us with more secure database server software only when we demand it.

No one vendor is any better than another. That said, in the very recent past we have seen some extremely positive moves made by the larger players in the RDBMS arena with a more proactive stance being taken as far as security is concerned. More needs to be done, but we're finally moving in the right direction. So, stepping down from the soapbox, let's examine the ways in which attackers can currently gain control over database servers; knowledge of how this is done will allow DBAs to design and implement a more holistic defensive strategy.

Database servers store data in a structured manner, using tables to group common or related chunks of data in columns. This data is queried, updated, and deleted using Structured Query Language (SQL). ...