Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SQL Injection Attacks: Is Your Data Secure?


Published on

SQL injection is one of the most common ways that hackers gain access to your SQL server. Do you know how to protect your data from malicious users? This session will provide an overview of how SQL injection works as well as T-SQL examples and techniques to protect against it. We’ll also take a look at why some commonly used techniques aren’t as secure as many people think. If you ever write or maintain dynamic SQL queries then this session is for you.

Published in: Technology
  • Be the first to comment

SQL Injection Attacks: Is Your Data Secure?

  1. 1. SQL Injection Attacks: Is Your Data Secure? | Bert Wagner | November 14, 2017
  2. 2. Objective SQL injection prevention does not have an “easy” solution
  3. 3. Disclaimers • Try this at home • Not at work • Not on other people’s systems
  4. 4. Background • Business Intelligence Developer • Tech security enthusiast • Saw my first injection attempts in ~2001 – MySQL logs Demo code and slides available at
  5. 5. Overview 1. Importance of SQL injection protection 2. Dynamic SQL 3. What does SQL injection look like? 4. Common misconceptions 5. Preventing SQL injection
  6. 6. • Data Leaks • Data Validity • Server Availability
  7. 7. Dynamic SQL “Just because you can, doesn’t mean you should.” • Can’t parameterize everything • Adaptable Queries • Performance However…
  8. 8. What is SQL Injection? • Dynamic string execution • Unsanitized input • Performing something the query wasn’t originally intended to do
  9. 9. Let’s go back to 1998…
  10. 10. OWASP 2004
  11. 11. OWASP – Present Day
  12. 12. Common Misconceptions “The structure of my database isn’t public” You don’t have a Users table? Products? Inventory? etc... “The Amazing Bert”
  13. 13. Common Misconceptions “I obfuscate my table names” sys.objects? Errors displayed in app? Logs, emails, social engineering…?
  14. 14. Common Misconceptions “The developers should validate, restrict output” True. But multiple layers of security are better than one.
  15. 15. Common Misconceptions “I’m not important enough to get hacked” Automated injection tools target everyone
  16. 16. Protecting Against SQL Injection Must take a multi-layered approach. Demos: • Don’t write dynamic SQL • sp_executesql • QUOTENAME() • REPLACE() • EXECUTE AS • Limit inputs • Homoglyph attacks • Proactively find injection vulnerabilities
  17. 17. Other Tools • sqlmap • Azure SQL • Continuous monitoring tools
  18. 18. Recap • No easy, single-approach solution • Validate, sanitize, escape • Developers and DBAs both responsible • Limit executing account privileges • Use other software to help test, find vulnerabilities
  19. 19. Thank you! Twitter: @bertwagner Blog: <- new posts Tuesdays Vlog:<- new videos Tuesdays Email: 19