Featured Article(s)
Tips for using SQL Server 2005 Join Hints
In this article, you can find some helpful tips to use SQL Server 2005 join hints.
Best Practices – How to Establish Them, Where to Find Them
Kathy wrote in with some lessons-learned that have become best practices – and there is a key item in the things she’s applying to her applications.
"I develop in-house software. So the first time that I created a web app directed for use by people outside my company I realized that letting the gory details get dumped to the web page would be intimidating to them and also that they would not be able to report problems to me. With .NET code, I knew I could capture errors so what I did was to dump all the gory details into a database table that had a trigger that sent all the details to me via email. A light-bulb moment. I went back and retrofitted my in-house apps to do the same. Now if an error occurs, the user sees the message “an error occurred and the administrator has been notified”.
Benefits:
(1) users don’t need to call or email me that there was a problem
(2) no gory details are displayed to the public [or hackers]
(3) repeated errors within a short time-period might be an indication of
(a) a user needs help or
(b) someone is trying to hack.
Where do I get “best practices” –
What-ever makes sense to me (I am the only db/web programmer in my group; there is no communication between db/web programmers in different groups). I do read trade mags and various internet articles and go to conferences once/year. When I come across something that appears useful, I try it out. If it works, I keep it."
This whole practice of hiding errors – some call it swallowing the error message – is key to going a long way toward addressing injection-type attacks. If an attacker cannot see the errors returned by SQL Server, it’s more difficult to hack the system in the first place. Sure, there are other ways, but this is a key item that every system should do. Never air your dirty laundry (the error messages) for the end-user to see. They won’t know what to do with or about the error, and you’ll be opening your system to hackers looking to do your system harm.
SQL Server Show
SelectViews: Auditing actions against your server, small business contracts and tips, examining old schemas for extras. Also, full-text synonyms, industry noise and news plus other tips and tricks.
[Watch the Show Here]
Featured White Paper(s)
Rock On as a SQL DBA – The More You Know, the Better Off You Are
As a SQL Server DBA, you may have already begun to experience the phenomenon of dependency creep where more and more there ar… (read more)