Twitter – Facebook SSWUG.ORG page
vWorkshop – Last Days to Register – Register Now!
SQL Server Performance – Presented by Stephen Wynkoop
I’ll be doing a virtual workshop THURSDAY – several hours on SQL Server performance. Find out about indexes, TSQL tips, monitoring and more. Check out the site for a more detailed outline – you can even get a certificate if you pass the quiz at the end! Just be sure to register now to save your spot. I’ll be doing the presentation, answering questions in chat and I’ll do my best to make sure you get the information you need.
[Get the outline] [Register for the workshop]
Webcast Tomorrow – Register Now
End to End Database Development
How to manage the database Application Lifecycle. This session will discuss team-focused database development challenges, and will present tried and true methodologies for dealing with database development issues. This session is a must-attend for any database developer working in a team environment. Presented by: Ted Malone
> Register Now
> Live date: 11/18/2009 at 12:00 Pacific
Featured Article(s)
Tips on getting more out of your SharePoint search
SharePoint has great search capabilities, but there is way more you can do to make it more useful to your users. If you take a look at large commerce sites out there on the Internet – it`s about presenting intelligent results and facets rather than large advanced search pages upfront. Here, we`ll take a look at how you can easily do the same for your SharePoint site.
SQL Injection Point of Interest
I’ve been working with three different clients recently on some SQL Injection issues. Oddly, all three clients came in with nearly the same issue and had all thought they were safe from injection.
First, they had moved their SQL statements to stored procedures. Second, they had stopped showing error messages to the client application if something happens.
Both are great and important steps, but there are key things on both that you should know. On the error messages, just because you’re not showing the error messages, it doesn’t mean a potential hacker is not able to do their work. Blind injection means that they essentially just keep trying to see if something, anything, will get through. They can build statements based on responses from your systems and still be able to accomplish the injection. It’s an important step, to get rid of the error messages, but it’s not the be-all, end-all solution.
The killer though is the stored procedure. These three different customers had moved their search processes to stored procedures. They previously would build the SQL statement in the ASP or .NET page, then execute it from the web application. Of course this is asking for trouble, so they now were sending the parameters to the stored procedure and building the statement there and executing it. Yikes. This approach was still open to injection because it built the SQL statement dynamically and executed it, rather than passing in typed-parameters for use in creating a query.
Be sure you understand the goal of injection, then check it against your system and how you implement your queries. Walk through your stored procedure, step by step, and see what the variables are holding and what statements are being built. Make sure you’re really protecting things along the way by filtering, using parameters and so-on.
You’ll be able to sleep a lot better at night I think.
Webcast Available Now:
Database Recovery 101
Every DBA is required to maintain good backups of their systems. But what are your options for recovering the system once you do experience a failure? In this presentation you’ll learn how to restore various types of database backups, the impact the recovery process has on your system, and how to estimate downtime and time to recover. Presented by: Buck Woody
Did You Know?
Did you know that, as you set up jobs with the SQL Agent processes, you can have the jobs notify you on success and/or failure? It’s a solid way to deploy repetitive tasks, then make sure they’re continuing to fire going forward. Add in alerts at first for success OR failure, then, as things are proven to work correctly, back off the alerts to let you know only when things fail. Check out "specifying job responses" in Books Online.
Featured White Paper(s)
A Comparison of Disk-Based Data Protection Techniques
Balancing the need for availability and performance of the application with the need to capture and store backup copies of th… (read more)
Featured Script
dba3_sys_LogCheckSumAggBinaryCheckSumCurrentValues
Provides a fairly reliable means of assessing table data changes for other than textual character or other blob data…. (read more)