IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [sql-server]

SQL Server is Microsoft's relational database management system (RDBMS). It is a full-featured databse primarily designed to compete against competitors Oracle Database (DB) and MySQL.

SQL Server is Microsoft's relational database management system (RDBMS). It is a full-featured databse primarily designed to compete against competitors Oracle Database (DB) and MySQL. Like all major RBDMS, SQL Server supports ANSI SQL, the standard SQL language. However, SQL Server also contains T-SQL, its own SQL implemention. SQL Server Management Studio (SSMS) (previously known as Enterprise Manager) is SQL Server’s main interface tool, and it supports 32-bit and 64-bit environments. SQL Server is sometimes referred to as "MSSQL" and "Microsoft SQL Server".

155 questions
54
votes
4 answers

Does read-only access to the database prevent sql injection?

I have a web api that connects to my SQL Server using a read-only connection and want to allow tech savvy users of my api to enter an SQL where clause on the querystring. I basically just want to tack what they enter onto the select statement. Does…
Aaron
  • 643
  • 1
  • 5
  • 5
22
votes
3 answers

Sanitizing input for parameterized queries

If I use fully parameterized queries everywhere, is it still necessary and/or security-relevant to somehow sanitize input? E.g. check that mail addresses are valid before sending a parameterized query against the database, or filtering out certain…
Alexander
  • 2,143
  • 2
  • 16
  • 22
20
votes
5 answers

SQL field level encryption, how safe is it?

I am considering encrypting my database and/or encrypting only certain columns in a few tables. Is it worth the time? I mean, how much of a burden would it be on someone if they were to get a hold of my encrypted database? Has anyone even found a…
Rush Frisby
  • 350
  • 1
  • 2
  • 11
19
votes
3 answers

Determine SSL/TLS version using Wireshark

Using Wireshark, I am trying to determine the version of SSL/TLS that is being used with the encryption of data between a client workstation and another workstation on the same LAN running SQL Server. Documentation on this subject suggests to look…
Guru Josh
  • 423
  • 3
  • 5
  • 10
17
votes
5 answers

Is sending plaintext passwords to a SQL Server database a security risk?

I have a database which has stored procedures which take plaintext passwords. It hashes them and inserts them into the DB. If an attacker has access to the DB connection, it is possible to intercept calls to the DB using SQL Server Profiler and see…
Craig Curtis
  • 699
  • 1
  • 7
  • 11
15
votes
3 answers

How secure is the traffic with Sql Server Management Studio?

I was just using Sql Server Management Studio on my WiFi, and I was actually wondering how secure the traffic/database communication is. Is traffic from querying secure, or is it easily sniffed for passwords and sensitive data?
KallDrexx
  • 253
  • 1
  • 2
  • 5
13
votes
1 answer

Is an encrypted connection to MS-SQL Server really safe?

Quick intro: Small company, VERY limited resources. I pretty much do everything including coffee. I am a programmer, not a security guy. That's why I ask you... We have an MS-SQL 2008 Database running on our server and several C# Applications that…
Martin Booka Weser
  • 233
  • 1
  • 2
  • 6
13
votes
2 answers

Generating a PIN from cryptographic bytes

One of our applications uses SQL Server for the back end, and that application requires a 4 digit numerical PIN for employees to be created that works with a key (more or less). The system itself defaults all PINs to 0000 because that's the magic…
Bacon Bits
  • 233
  • 1
  • 6
10
votes
2 answers

Online SQL Server database for a Business app. Security considerations

A business application works with a SQL Server database. A SQL Server 2008 is installed on one of the computers of the local network. Technically this app works OK if the server computer with the SQL Server 2008 database collocated in the datacenter…
rem
  • 2,017
  • 2
  • 19
  • 27
9
votes
4 answers

Worthwhile from security standpoint to limit database server user for ASP.NET website to only EXECUTE on stored procedures?

I know that obviously we must avoid sql injection attacks through user input validation and parametrized queries. There's already a firewall in place on the database server to limit remote connections to be accepted only from the web server. …
Peter Smith
  • 360
  • 1
  • 9
8
votes
3 answers

IIS and SQLServer Hardening

Long story short: I'm an engineer doing development, not administration. I have no direct access to the production server, so I can only tell the administration team the best configurations for security. However, as you all know, it's not as simple…
Orca
  • 491
  • 1
  • 5
  • 12
7
votes
1 answer

SQL Server of my hosting provider allows me to see all databases. How secure is my mine?

My hosting provider allows access to its SQL Server. When I connected to it by SQL Management Studio, all hosted databases were visible. I can't get the details on these databases, I get this error: "The database x is not accessible.(Object…
user73983
  • 71
  • 1
7
votes
2 answers

What's the best way to test for SQL Injection vulnerabilities? Manual or SQLMap?

As part of my job I test for web application vulnerabilities regularly. When it comes to SQL Injection, my methodology is to start by manually browsing the website and spidering it, then, sending the parameters that I suspect to interact with the…
Mico
  • 377
  • 3
  • 16
6
votes
4 answers

Security risks of using SQL Server without a firewall

My question is prompted by the fact that WinHost.com has some really cheap shared hosting for SQL Server where you don't need to manage your own Virtual Private Server. Unfortunately there is no firewall so you can access the server from anywhere on…
BVernon
  • 181
  • 1
  • 7
5
votes
3 answers

AD User vs SQL User for SQL Server Authentication

My company has multiple web applications that we deploy to customer sites. Often the customer has the final say in deployment options in which often it shocks me. Many of these customers are deploying the web application to point to the deployed…
Cyassin
  • 503
  • 2
  • 6
  • 12
1
2 3
10 11