Presentation is loading. Please wait.

Presentation is loading. Please wait.

Joanna Wolthuis Be a Dynamic SQL Dynamo!.

Published byกระสินธ์ พิศาลบุตร Modified over 5 years ago

Similar presentations

Presentation on theme: "Joanna Wolthuis Be a Dynamic SQL Dynamo!."— Presentation transcript:

1 Joanna Wolthuis Be a Dynamic SQL Dynamo!

2 About me… Working with SQL Server for 8 years.
Independent contractor - SQL Server/VBA development and reporting. Big fan of VBA interaction with SQL Server (front end tools). Contributor to Your Programming Network website and YouTube channel. Amateur acrobat! @ochthenoodle

3 Dynamic SQL…. What is dynamic SQL? How would we use it?
When should we use it? How does it perform? Is it secure?

4 Static SQL Dynamic SQL SELECT * FROM [Warehouse].[PackageTypes]
AS VARCHAR(50) = '[Warehouse].[PackageTypes]' AS VARCHAR(MAX) = 'SELECT * FROM ‘ =

5 SQL Injection…. Little Bobby Tables

6 Erland Sommarskog….. “if this web app logs into SQL Server with sysadmin or db_owner privileges, the attack succeeds. Mind you, with sysadmin rights, the attacker can add users and logins as he pleases. And if the service account for SQL Server has admin privileges in Windows, the attacker has access into your network far beyond SQL Server through xp_cmdshell. (Which is disabled by default on SQL 2005 and later, but if the attacker has achieved sysadmin rights on the server, he can change that.)“

7 How can we prevent this? Correct permissions!!!!!!
Do not expose your SQL Server error messages Remove special chars etc where possible sp_executeSQL NOT EXEC

8 Feel free to email/tweet me anything you may think of later 
Questions? Feel free to /tweet me anything you may think of later  @ochthenoodle Useful links:

Download ppt "Joanna Wolthuis Be a Dynamic SQL Dynamo!."

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
SQL Injection Stephen Frein Comcast.

SQL Injection Stephen Frein Comcast.
How Did I Steal Your Database Mostafa

How Did I Steal Your Database Mostafa
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Sql Server Advanced Features MIS 424 Professor Sandvig.

Sql Server Advanced Features MIS 424 Professor Sandvig.
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
Introduction to Application Penetration Testing

Introduction to Application Penetration Testing
SQL Server and Application Security for Developers

SQL Server and Application Security for Developers
Module 3: Changes to Transact-SQL. Overview Accessing Object Information New Transact-SQL Syntax Changes to Objects Distributed Queries.

Module 3: Changes to Transact-SQL. Overview Accessing Object Information New Transact-SQL Syntax Changes to Objects Distributed Queries.
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software
I-SUITE 101. I-SUITE BASICS Install I-Suite Server Clients Setup Initial Admin User Create Database Add Users Create Additional Admin User Create I-Suite.

I-SUITE 101. I-SUITE BASICS Install I-Suite Server Clients Setup Initial Admin User Create Database Add Users Create Additional Admin User Create I-Suite.
I-SUITE 101. I-SUITE BASICS Install I-Suite Server Clients Setup Initial Admin User Create Database Add Users Create Additional Admin User Create I-Suite.

I-SUITE 101. I-SUITE BASICS Install I-Suite Server Clients Setup Initial Admin User Create Database Add Users Create Additional Admin User Create I-Suite.
Welcome to Blackhat! Blackhat Security Briefings Amsterdam 2001 Timothy M. Mullen AnchorIS.Com, Inc. Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com;

Welcome to Blackhat! Blackhat Security Briefings Amsterdam 2001 Timothy M. Mullen AnchorIS.Com, Inc. Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com;
Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.

Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.
Secure ASP.NET MVC5 Application with Asp.Net Identity Changde Wu Self Introduction Professional.NET Developer in greater Boston area Specialized in WPF.

Secure ASP.NET MVC5 Application with Asp.Net Identity Changde Wu Self Introduction Professional.NET Developer in greater Boston area Specialized in WPF.
Duong Ngo October 14, 2009. POST-EXPLOITATION  Got access to a MSSQL box? (SQL injection, brute force…)  Privileges: sa / dbo / normal user  Got all.

Duong Ngo October 14, POST-EXPLOITATION  Got access to a MSSQL box? (SQL injection, brute force…)  Privileges: sa / dbo / normal user  Got all.
Attacking Applications: SQL Injection & Buffer Overflows.

Attacking Applications: SQL Injection & Buffer Overflows.
MICROSOFT SQL SERVER 2005 SECURITY  Special Purpose Logins and Users  SQL Server 2005 Authentication Modes  Permissions  Roles  Managing Server Logins.

MICROSOFT SQL SERVER 2005 SECURITY  Special Purpose Logins and Users  SQL Server 2005 Authentication Modes  Permissions  Roles  Managing Server Logins.
Module 9 Authenticating and Authorizing Users. Module Overview Authenticating Connections to SQL Server Authorizing Logins to Access Databases Authorization.

Module 9 Authenticating and Authorizing Users. Module Overview Authenticating Connections to SQL Server Authorizing Logins to Access Databases Authorization.

Similar presentations

Ads by Google