1

I have applied a table level encryption using TDE to my database,and am accessing the database from my windows application, through proper authentication:

my query may looks like the following(opens a wide entry for injection).

VB

Dim myQuery="Select * from myTable where some_id='" & txtUserId.Text & "'

c#

string myQuery="Select * from myTable where some_id='" + txtUserId.Text + "'

Consider that an intruder is trying some injection technique, entering text like sameValue' or 1=1 or ' so that it will give the whole data. my question is that, in this case whether he get the encrypted data or be the actual data

Note: i don't use such queries in my application, am using parameterized query and sp throughout my application. asking this for just clarification.

sujith karivelil
  • 28,671
  • 6
  • 55
  • 88

2 Answers2

3

TDE is encrypting data at-rest, (link here) , and as such does not protect you from injection. Its only encrypting the data files and data logs.

b0redom
  • 387
  • 2
  • 11
2

He will get the actual data. Yes, TDE encrypts the entire database, but it only matters if someone walks away with the database files or the backup. If someone logs into the database, or sneaks in through SQL injection, there is no difference, he will get the acutal data.

bot_insane
  • 2,545
  • 18
  • 40