by kkikta
29. August 2008 05:15
Recently a old client I use to do some consulting for called me up because their in-house development team was having problems stopping SQL Injection. I did the polite thing and attempted to explain how it could be fixed. They then asked me what it would cost for me to fix their cold fusion and SQL Server code. I sent them over a rate sheet and I have yet to hear back that was about 3-4 weeks ago. Guess they didn't like the price ;P
Anyway fast forward one of my friends was browsing my sites (.NET) and ran across an error in which it appeared Npgsql stated there were no more connections in the pool (woops forgot to turn on custom errors). Anyway I decided to see if this was happening alot so I opened up event viewer. What did I find someone was trying to attack my site with the same type of script. So I ran a few quick tests to confirm that my stored proc's are not vunerable. Then i got to thinking even if they were I implement at least a dual password system where one account (read-only) is used for select queries and another (read-write) is used for everything else so I figured I am pretty safe. Never mind that the script is targeting SQL Server and my projects are running on PostgreSQL. Needless to say I decided to let it go since who ever is attempting to attack me is just spinning their wheels and maybe as long as they are going after me they wont find someone who is vunerable.
In any case I find the whole situation mildly amusing.
I cannot stress enough sanatize your inputs and consider setting up different user accounts so that in case you forget to to protect something you limit what an attacker can do.