Handling SQL Injection Attacks

SQL injection is the act of entering a particularly odd-looking string into a text box or query string in order to have potentially malicious SQL code execute.  For example, if you have an ASP page that accepts as a query string parameter an ID field, and this ID field is then used to create a dynamic SQL query, then your application may be subject to an SQL injection attack.  An application user may enter a query string like:

1; DELETE FROM Orders (or some other malicious SQL statement)

With this code, the SQL will be executed and your database table deleted!  You can combat this particular type of attack by strictly enforcing data type validation of input fields.

Applications built with Iron Speed Designer should be completely safe from SQL injection attacks, because all data that affects the construction of SQL statements (and stored procedure parameters) goes through at least one abstraction layer that properly encodes or interprets the data.  While it is possible for a developer to design an application that bypasses this security and allows custom code and / or end user input to unsafely affect the SQL generation, doing so requires application customization to circumvent the security mechanisms.  Moreover, filters created by Iron Speed Designer handle string inputs by replacing “into'' which prevents the application user from running their own SQL command such as delete table.

For more information on SQL Injection Attacks, refer to:

http://msdn.microsoft.com/msdnmag/issues/04/09/SQLInjection/

Application Security Provisions

Principle

Implementation

Iron Speed Designer

Never trust user input

Validate all text box entries using validation controls, regular expressions, code, and so on

All text boxes are validated through various validation routines built into your application.

Strings that are passed through to the query, such as search strings, go through multiple levels of validation to ensure that all quotes and other troublesome characters are eliminated to further quoted to make them benign.

Never use dynamic SQL

Use parameterized SQL or stored procedures

Iron Speed Designer creates and uses stored procedures.  However, when using inline SQL, Iron Speed Designer does use dynamic SQL to compose queries when the end user searches, sorts, paginates or filters the data.  However this dynamic SQL is created in application code instead of user input, and goes through multiple layers of abstraction to ensure that there is no possibility of injecting inappropriate SQL into the query.

Never connect to a database using an admin-level account

Use a limited access account to connect to the database

The application developer can decide which user account to use to connect to the database.  Iron Speed best practices suggest using a Trusted connection and using the ASPNET account created on the system.  The ASPNET account should not have admin-level privileges.

Don't store secrets in plain text

Encrypt or hash passwords and other sensitive data; you should also encrypt connection strings

When a trusted connection is used, there is no possibility of a user name or password being stored or passed in plain text.  When a SQL Server account is used, the connection information is stored in your application’s Web.config file in an unencrypted format.  Iron Speed recommends securing the system and the folder containing your application’s Web.config file on a deployed application.

Exceptions should divulge minimal information

Don't reveal too much information in error messages; use customErrors to display minimal information in the event of unhandled error; set debug to false

Error messages reported to the users are generic and stored in resource files and can be easily modified. customErrors are turned off for Remote users by default.  Debug mode is set to false by default.

See Also

Configuring Microsoft IIS and IIS Express for Application Security

Configuring IIS Express

Active Directory Role Management

Configuring Microsoft Active Directory

Microsoft Authorization Manager (AzMan) Role Management

Configuring Microsoft Authorization Manager (AzMan)

Microsoft SharePoint Authentication and Authorization

Data Transmission Encryption

Configuring Firewall Security

Handling SQL Injection Attacks