SQL Injection Attacks – DunDDD 2012

Examples The examples were run against a copy of the Adventure Works database. Basic Demo (ASP.NET MVC / C# / Visual Studio 2010) Second Order Demo (WinForms / C’# / Visual Studio 2010) Required Tables For the Second Order Demo you need the following table added to the Adventure Works database: CREATE TABLE [dbo].[FavouriteSearch]( [id] …

SQL Server User Group: SQL Injection Attacks

Examples The examples were run against a copy of the Adventure Works database. Basic Demo (ASP.NET MVC / C# / Visual Studio 2010) Second Order Demo (WinForms / C’# / Visual Studio 2010) Required Tables For the Second Order Demo you need the following table added to the Adventure Works database: CREATE TABLE [dbo].[FavouriteSearch]( [id] …

Upcoming talks

My SQL Injection Attack prevention talk is on the road. I’ve already given the talk in Dundee, Newport and Nuneaton. And in the coming months I’ll be delivering it in Glasgow, London and Newcastle. If you want to come and learn about securing your database from a developer perspective you can come along. Glasgow, 4th …

SQL Injection Attacks and Tips on How to Prevent Them

I’m giving a talk in Dundee on the topic of SQL Injection Attacks. If you are interested in the subject then the registration link is at the bottom of the page. Wednesday, 28th October 2009 at 19:00 – 21:00 Queen Margaret Building, Dundee University The Talk In light of some recent events, such as the …

If you really must do dynamic SQL…

I may have mentioned in previous posts and articles about SQL Injection Attacks that dynamic SQL (building SQL commands by concatenating strings together) is a source of failure in the security of a data driven application. It becomes easy to inject malicious text in there to cause the system to return incorrect responses. Generally the …

BBC repeating mindless nonsense

I’ve just read a report from the BBC that simply repeats some mindless drivel about SQL Injection Attacks from a spokesman for the US Department of Justice. According to the BBC: Edward Wilding, a fraud investigator, told the BBC that this method was “a pretty standard way” for fraudsters to try to access personal data. …

SQL Injection Attacks

Every day I see messages on various forums asking for help with SQL. Nothing wrong with that. People want to understand how something works, or have a partial understanding but something is keeping them from completing their task. However, I frequently also see messages that have SQL statements being built in C# or VB.NET that are extremely …

UPDATE: Sql Injection Attacks

As a follow up to my post on preventing SQL Injection Attacks a couple of months ago I just found this little nugget, I Made a Difference[^], and it shows what can be achieved if you don’t secure against SQL Injection attacks – and with only 3 hours of effort. Obviously, if you have access to the source code …