I have a SQL Server 2005 database hosted on a shared hosting environment. Unfortunately for the last couple of months I have been having trouble with my application with some malicious scripts and html tags appended to the existing text in my database.
The text being injected is almost look like
"script src=http://somehostname/r.php ></script>"
I am using IIS 7 and enabled requestFiltering. But still the attack is hitting me so badly. How can I prevent my database from such attacks?
Thanks in advance.
Any application that submits data into your table should strip this out as good practice. Of course, not all applications do.
If your not using stored procedures, I suggest you create a trigger on the database table for INSERT and UPDATES and check if any illegal strings try and enter, if they do, reject the row. SQL has some string manipulation keywords such as CHARINDEX, I personally would check for common characters such as ‘\’, ‘;’, ‘$’, ‘&’ etc.
I would also try and filter out anything that has already entered your tables and delete the rows:
Alternatively, if you used a Stored Procedure and pass each field as a parameter then these characters would not enter your database.