Editorials

Injection Recovery Process/Steps

by Ben Taylor

Part of Database Recovery…
… is the time it takes to actually do the recovery. Make sure you can recover specific items as you need to, and make sure it can be done accurately and in as little time as possible. If you’re not sure how to attack this and get your systems finely tuned to have things like recovering in minutes instead of hours, recovery form human error, etc., check out Acronis’ SQL Server tools. One step recovery, automated point of failure recovery and other great capabilities are all part of the system. Check it out here.

Injection Recovery Process/Steps
Several people have written in with suggestions on dealing with SQL Injection – and one in particular looks like a solid approach if your environment will support it, from Dan, more an approach for prevention than for recovery, but good information (Email your experiences, here):

"There’re no multiple row updates done to our database through the website.

I’ve added triggers on every table that test for the row count in the INSERTED table. If any count is greater than 0, it rolls back the transaction. If any are attempted, the trigger emails a few people of the activity and we’re able to check the database within a few minutes.

We’re also logging the IP address of the user who initiates a database write of any kind, so we know where they are coming from. We’ve been able to block a pretty good range of IP addresses on the firewall from this tracking."

A couple of take-aways here. First the obvious – tracking where changes are happening. Determining the IP, blocking it at the firewall is a good step. Of course you have to keep in mind that, just because you blocked an IP today doesn’t mean new IPs won’t be in use tomorrow. Just be sure to stay on top of things.

The other item here that I thought was a great idea was the concept of watching for multi-row updates and preventing them. This is a solid step, if it will work in your environment with your workload and applications, that can save you a great deal of grief. You might look into whether this type of final line of defense can be applied to some of the tables in your systems.

Featured White Paper(s)
Ponemon Survey: Understanding Threats and Priorities in IT
In this extensive survey, conducted by the Ponemon Institute, C-level executives and DBAs reveal what challenges and opportun… (read more)

ESG Lab Validation Report of the HP PolyServe Database Utility for SQL Server
ESG Lab, the testing facility of industry analyst firm Enterprise Strategy Group, reports its comprehensive testing of HP’s s… (read more)

Tags:
Author: Ben TaylorBen is a Relational Database veteran starting in the early eighties on DEC Vax database systems such as Bloom and Harvest. He has specialized in SQL engines for more than two decades, with a primary focus on Microsoft SQL Server. Ben has worked with small and large databases for both OLAP and OLTP working on systems for many industries such as Medical (Medical Claims and Eligibility Warehouse, HMO Provider Management, Enrollment), Financial (credit card processing, mortgage, stock portfolio management), Manufacturing (Assembly Line and Product Assemblies), Sales, Auto Auctions and more.