Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SQL Injection Attacks - Is Your Data Secure? GroupBy Conference


Published on

SQL injection is one of the most common ways that hackers gain access to your SQL server. Do you know how to harden your queries and protect your data from malicious users?

This session will provide an overview of how SQL injection works and how to write injection-proof queries through a series of T-SQL demos. We’ll also take a look at why some commonly used techniques aren’t as secure as many people think.

If you ever write or maintain dynamic SQL queries, or work with developers who do, then this session is for you.

Published in: Technology
  • Be the first to comment

SQL Injection Attacks - Is Your Data Secure? GroupBy Conference

  1. 1. SQL Injection Attacks: Is Your Data Secure? | Bert Wagner | March 16, 2018
  2. 2. Objective SQL injection prevention does not have an “easy” solution
  3. 3. Disclaimers • Try this at home • Not at work • Not on other people’s systems
  4. 4. Background • Business Intelligence Developer • Tech security enthusiast • Saw my first injection attempts in ~2001 – MySQL logs Demo code and slides available at
  5. 5. Overview 1. Importance of SQL injection protection 2. Dynamic SQL 3. What does SQL injection look like? 4. Common misconceptions 5. Preventing SQL injection
  6. 6. • Data Leaks • Data Validity • Server Availability
  7. 7. Dynamic SQL “Just because you can, doesn’t mean you should.” • Can’t parameterize everything • Adaptable Queries • Performance However…
  8. 8. What is SQL Injection? • Dynamic string execution • Unsanitized input (could be from a column or parameter) • Performing something the query wasn’t originally intended to do
  9. 9. What is SQL Injection? SQL injection can occur without concatenated parameters too
  10. 10. Let’s go back to 1998…
  11. 11. OWASP 2004
  12. 12. OWASP – Present Day
  13. 13. Common Misconceptions “The structure of my database isn’t public” You don’t have a Users table? Products? Inventory? etc... “The Amazing Bert”
  14. 14. Common Misconceptions “I obfuscate my table names” sys.objects? Errors displayed in app? Logs, emails, social engineering…?
  15. 15. Common Misconceptions “The developers should validate, restrict output” True. But multiple layers of security are better than one. Front end validation doesn’t stop malicious users Server side validation stops some
  16. 16. Common Misconceptions “I’m not important enough to get hacked” Automated injection tools target everyone
  17. 17. Common Misconceptions “I use an ORM to code my SQL queries” ORMs are still vulnerable if you need to pass an argument that can’t be parameterized by SQL Server or if you use a vulnerable stored procedure ORMs are vulnerable other ways too:
  18. 18. Protecting Against SQL Injection Must take a multi-layered approach. Demos: • Don’t write dynamic SQL • sp_executesql • QUOTENAME() • REPLACE() • EXECUTE AS • Limit inputs • Homoglyph attacks • Proactively find injection vulnerabilities
  19. 19. Recap • No easy, single-approach solution • Validate, sanitize, escape • Developers and DBAs both responsible • Limit executing account privileges • Use other software to help test, find vulnerabilities
  20. 20. Thank you! @bertwagner 20 New posts and videos every Tuesday!