Friday, 12 November 2010

How to Stop SQL Injection

1) Create User WebUser
2) Make it db_Owner for the application database
3) Execute below SQL statements

use [master]
GO

DENY SELECT ON [INFORMATION_SCHEMA].[TABLES] TO [Public]

DENY SELECT ON [INFORMATION_SCHEMA].[COLUMNS] TO [Public]

DENY SELECT ON [INFORMATION_SCHEMA].[VIEW_COLUMN_USAGE] TO [Public]

DENY SELECT ON [INFORMATION_SCHEMA].[CONSTRAINT_COLUMN_USAGE] TO [Public]

DENY SELECT ON [INFORMATION_SCHEMA].[COLUMN_PRIVILEGES] TO [Public]
GO

Use [SQLInjection]
GO

DENY SELECT ON [sys].[columns] TO [test]

DENY SELECT ON [sys].[tables] TO [test]

DENY SELECT ON [sys].[syscolumns] TO [test]

DENY SELECT ON [sys].[sysobjects] TO [test]

DENY SELECT ON [sys].[objects] TO [test]

DENY SELECT ON [sys].[syscomments] TO [test]
GO