2

I have a SQL Server 2005 database hosted on a shared hosting environment. Unfortunately for the last couple of months I have been having trouble with my application with some malicious scripts and html tags appended to the existing text in my database.

The text being injected is almost look like

"script src=http://somehostname/r.php ></script>"

I am using IIS 7 and enabled requestFiltering. But still the attack is hitting me so badly. How can I prevent my database from such attacks?

Thanks in advance.

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Libin TK
  • 1,477
  • 2
  • 25
  • 46

3 Answers3

4

This is generally a sql injection attack.

This consists to add quote or sql code into valid user inputs.

Are you sure you escape all malicious characters of your datas before usings them in yours queries ?

Take a look at http://en.wikipedia.org/wiki/SQL_injection

Jerome Cance
  • 8,103
  • 12
  • 53
  • 106
3

It seems you are not using Parametrized Stored Procedures and some basic prevention from being attack through sql injection.

Please go through the following link to know more : Protect From SQL Injection in ASP.NET and Preventing SQL Injection Attacks

Then for Classic asp this link would worth for you: SQL Injection in Classic ASP and Possible Solutions

Ashwini Verma
  • 7,477
  • 6
  • 36
  • 56
  • Its a legacy Classic ASP application, with few asp.net pages for background tasks. Yes, the asp application doesn't have stored procedures, its having inline sql commands for retrieve data from the db. – Libin TK Mar 29 '12 at 07:59
0

Any application that submits data into your table should strip this out as good practice. Of course, not all applications do.

If your not using stored procedures, I suggest you create a trigger on the database table for INSERT and UPDATES and check if any illegal strings try and enter, if they do, reject the row. SQL has some string manipulation keywords such as CHARINDEX, I personally would check for common characters such as '\', ';', '$', '&' etc.

I would also try and filter out anything that has already entered your tables and delete the rows:

DELETE FROM Table
WHERE Field LIKE '%<script>%'

Alternatively, if you used a Stored Procedure and pass each field as a parameter then these characters would not enter your database.

CREATE TRIGGER [dbo].[tr_CheckSQLInjection] 
ON [dbo].[Notes]
FOR INSERT, UPDATE
AS

BEGIN


BEGIN TRANSACTION T_CHECKCHARACTERS

BEGIN TRY

 -- YOUR LOGIC TO STRIP OUT THE CHARACTERS HERE

  COMMIT TRANSACTION T_CHECKCHARACTERS

END TRY

BEGIN CATCH

    RAISERROR('UNABLE TO COMMIT THE TRANSACTION', 1, 1)

    ROLLBACK TRANSACTION T_CHECKCHARACTERS

END CATCH

END
Darren
  • 68,902
  • 24
  • 138
  • 144
  • Darren, I think its a great idea in this context bcoz i am using classic asp and asp.net together with no stored procedures. Unfortunately I am not familiar with this triggers. could you please link me to a nice example? – Libin TK Mar 29 '12 at 08:03
  • Triggers: http://www.sqlteam.com/article/an-introduction-to-triggers-part-i I will edit my post to include an example too. – Darren Mar 29 '12 at 08:06
  • I would also recommend reading up on SQL Injection like the other guys have mentioned. – Darren Mar 29 '12 at 08:12