What should you do?

You work as the Database Administrator for www.company.com.com. All servers on the www.company.com.
com network run Windows Server 2003 and Windows Server 2000, and all client computers run Windows XP
rofessional and Windows Vista. The www.company.com.com network area consists of a single Active Directory
domain named www.company.com.com. The www.company.com.com network contains a Microsoft SQL
Server 2005 database server named COMPANY-DB111, which you administer at a regular interval of time.
COMPANY-DB111 contains and hosts three databases that support different types of business requirements.
The network uses the DBA database that supports internal operations including maintaining data, accounting,
and mailing. The network’s regular users make use of stored procedures for the data values that need insertion
into the tables. The stored procedures used in the network of the company are designed to access SQL variant
type parameters and then use the values to build and execute ad hoc query statements that are the partof the
SQL statements. During a routine network check, youdiscover that there are several odd occurrences inthe
database. The odd occurrences include data deleted from tables and other unauthorized activity. You suspect
a user is executing the unauthorized statements through the stored procedures. You are required to stop the
unauthorized changes while having least impact on the stored procedures that are in use. Your explanation
must use the least administrative effort.
What should you do?

You work as the Database Administrator for www.company.com.com. All servers on the www.company.com.
com network run Windows Server 2003 and Windows Server 2000, and all client computers run Windows XP
rofessional and Windows Vista. The www.company.com.com network area consists of a single Active Directory
domain named www.company.com.com. The www.company.com.com network contains a Microsoft SQL
Server 2005 database server named COMPANY-DB111, which you administer at a regular interval of time.
COMPANY-DB111 contains and hosts three databases that support different types of business requirements.
The network uses the DBA database that supports internal operations including maintaining data, accounting,
and mailing. The network’s regular users make use of stored procedures for the data values that need insertion
into the tables. The stored procedures used in the network of the company are designed to access SQL variant
type parameters and then use the values to build and execute ad hoc query statements that are the partof the
SQL statements. During a routine network check, youdiscover that there are several odd occurrences inthe
database. The odd occurrences include data deleted from tables and other unauthorized activity. You suspect
a user is executing the unauthorized statements through the stored procedures. You are required to stop the
unauthorized changes while having least impact on the stored procedures that are in use. Your explanation
must use the least administrative effort.
What should you do?

A.
The input parameters should be parsed to watch for and block any input including single quotes.

B.
The stored procedures used for the table should be replaced with ad hoc queries.

C.
The stored procedure should be customized to use type-specific and length-restricted parameters.

D.
All data handling activity on the table should beaudited and recorded.

Explanation:
You should consider modifying the stored proceduresto use type-specific and length-restricted SQL
parameters if there are problems generated from a SQL Injection attack when the malicious code is inserted in
a query for execution on the server.
Answer D is incorrect. This choice could be used for identifying the cause, but it will not help in stopping the
attacks.
Answer A is incorrect. This choice could be used, but the solution is incomplete. Answer B is incorrect. You
should not consider this explanation, as it is evenless secure and more prone to a SQL injection attack.

Show Hint

Leave a Reply 1

Your email address will not be published. Required fields are marked *

Lena

Lena

Primary Defenses:
Option #1: Use of Prepared Statements (Parameterized Queries)
Option #2: Use of Stored Procedures
Option #3: Escaping all User Supplied Input

Reply