Featured Article(s)
Mastering Microsoft Business Intelligence: Introducing Named Sets in Analysis Services, Pt. 1
Part 1: Get hands-on exposure to Named Sets within Analysis Services. Join BI Architect Bill Pearson as he introduces the Mastering Microsoft Business Intelligence series, another new SSWUG exclusive.
Last Day to Register is Today – vConference Begins Tomorrow
Don’t forget – the vConference begins tomorrow morning and continues Weds., Thurs. and Fri. SQL Server, Business Intelligence, .NET Development Learning and SharePoint are all included. Check out the live sessions that go over top scripts you need, top performance tips and top things you should know about SQL Server. Also, make sure you attend the live Q&A sessions each day – ask questions, get answers, all live.
But, you need to register to attend. Register here!
New Onslaught of Injection Happening as We Speak
Just a heads-up. There is a new injection wave happening right now – it’s a blind injection routine that simply tries to run against your web-based application without regard to whether you’re returning error messages or providing feedback that a hacker can use against you.
The hack uses the fairly well-known technique of walking through your user tables and updating character columns to insert a javascript reference. What’s interesting is that the routines that are doing the poking appear to be re-attempting access numerous times and look to be automated, but we’re not sure. Remember to watch your form parameters that you’re passing in – checking each of them for tell-tale injection issues.
We’ve talked about injection before – and I’m putting together a workshop about it to talk about things you need to know about, what we’ve seen, mistakes we’ve made along the way (and learned from) and much more. The key things:
– check inputs – if it’s supposed to be a number, make sure it is. Check out isnumeric()
– use stored procedures, pass in parameters. SQL Server will forced the parameters to the right value type and won’t execute the statement, but rather just treat it like data.
– clean your inputs – watch for single quotes, "CAST" and the things you should have no business seeing on your inputs.
One thing – many people filter on keywords. Those won’t trip on these types of injection attacks. The reason is because the hackers are asking SQL Server to interpret the data and create a SQL statement, then execute it. It’s not like they’re passing in a statement that you can filter out "UPDATE" keywords and the like.
Lastly, do ALL of the protective things, all the time and test your system continually. Don’t do some, some of the time. You’ll get bit.
Featured White Paper(s)
SQL Server Fragmentation Explained
This technical white paper will help you understand SQL Server fragmentation and the performance benefits you can gain on yo… (read more)