Comments on: Securing SQL Server In My Library

By: Thomas LaRock

Thomas LaRock — Tue, 15 Mar 2011 15:01:31 +0000

In reply to Claire.

Claire,

Could you? Absolutely!

Now…how many people actually know what they are doing…

By: Claire

Claire — Tue, 15 Mar 2011 15:00:31 +0000

Eeesh. Couldn’t you just use a stored procedure to validate any user?

By: Thomas LaRock

Thomas LaRock — Tue, 15 Mar 2011 02:39:26 +0000

In reply to Michael. Michael, Exactly like what I did? Not that I know of. But if you pick up a copy of the book you will find a few examples of SQL injection that involved binary attacks. It really depends on how people have coded their applications.

By: Michael

Michael — Tue, 15 Mar 2011 02:28:02 +0000

But could code like that ever do something bad? It is just a SELECT statement that returns an encoded string.

By: Thomas LaRock

Thomas LaRock — Mon, 14 Mar 2011 21:27:31 +0000

In reply to Mike Walsh. Wow, that's amazing! I wonder how many more people will be amazed at what that piece of code does...

By: Mike Walsh

Mike Walsh — Mon, 14 Mar 2011 21:24:24 +0000

Could have been worse… You could have asked folks to run this dangerous piece of code –

select CAST(0x6E6576657220676F6E6E61206769766520796F75207570202D206E6576657220676F6E6E61206C657420796F7520646F776E202D206E6576657220676F6E6E612072756E2061726F756E6420616E642064657365727420796F752E2E2E as varchar(max))