SQL Injection Attack
Summary of Video
Demonstrates a SQL Injection Attack and how to prevent these.
Prerequisites
Working knowledge of SQL and Stored Procedures
Video Link
Support Materials
http://msdn.microsoft.com/en-us/library/ms161953%28v=sql.105%29.aspx – MSDN Article on SQL Injection
CREATE TABLE Students ( id INT PRIMARY KEY IDENTITY(1,1), FirstName NVARCHAR(200), LastName NVARCHAR(200)) INSERT INTO Students ('John', 'Doe') CREATE PROCEDURE sp_SelectStudent ( @StudentName VARCHAR(200) ) AS BEGIN SELECT * FROM Students WHERE FirstName = @StudentName END GO EXEC sp_SelectStudent 'John' EXEC sp_SelectStudent 'John''; EXEC sp_HelpUser --' ALTER PROCEDURE sp_SelectStudent2 ( @StudentName VARCHAR(200) ) AS BEGIN DECLARE @Query NVARCHAR(500) SET @Query = 'SELECT * FROM Students WHERE FirstName = ''' + @StudentName + '''' PRINT @Query EXECUTE(@Query) END GO CREATE TABLE Sacrifice ( id INT PRIMARY KEY, Field1 NVARCHAR(200) ) EXEC sp_SelectStudent2 'John' EXEC sp_SelectStudent2 'John''; DROP TABLE Sacrifice --' EXEC sp_SelectStudent2 'John''; EXEC sp_HelpUser --' |
All Materials Copyright 2012 Dr. Ron Eaglin