You work as the Database Administrator for www.company.com.com. All servers on the
www.company.com.com network run Windows Server 2003 and Windows Server 2000, and all client
computers run Windows XP rofessional and Windows Vista. The www.company.com.com network
area consists of a single Active Directory domain named www.company.com.com.
The www.company.com.com network contains a Microsoft SQL Server 2005 database server named
COMPANY-DB111, which you administer at a regular interval of time. COMPANY-DB111 contains and
hosts three databases that support different types of business requirements. The network uses the
DBA database that supports internal operations including maintaining data, accounting, and mailing.
The network’s regular users make use of stored procedures for the data values that need insertion
into the tables. The stored procedures used in the network of the company are designed to access
SQL variant type parameters and then use the values to build and execute ad hoc query statements
that are the part of the SQL statements. During a routine network check, you discover that there are
several odd occurrences in the database. The odd occurrences include data deleted from tables and
other unauthorized activity. You suspect a user is executing the unauthorized statements through
the stored procedures. You are required to stop the unauthorized changes while having least impact
on the stored procedures that are in use. Your explanation must use the least administrative effort.
What should you do?
A.
The input parameters should be parsed to watch for and block any input including single quotes.
B.
The stored procedures used for the table should be replaced with ad hoc queries.
C.
The stored procedure should be customized to use type-specific and length-restricted parameters.
D.
All data handling activity on the table should be audited and recorded.
Explanation:
You should consider modifying the stored procedures to use type-specific and length-restricted SQL
parameters if there are problems generated from a SQL Injection attack when the malicious code is
inserted in a query for execution on the server.
Answer D is incorrect. This choice could be used for identifying the cause, but it will not help in
stopping the attacks.
Answer A is incorrect. This choice could be used, but the solution is incomplete.
Answer B is incorrect. You should not consider this explanation, as it is even less secure and more
prone to a SQL injection attack.
To prevent SQL injections, use a list of acceptable characters to constrain input, parameterized SQL for data access, and a least privileged account that has restricted permissions in the database.
Type-safe SQL parameters can also be used with dynamic SQL.