April is shaping up to be a fun, yet busy month. I have also been selected to present two topics at SQL Saturday #497 in Huntington Beach on April 2nd! I will be presenting on SQL Injections and Master Data Services. Here are descriptions of my presentations.
SQL Injections and How to Stop Them
Right now, there are hackers all around the world trying to get into your web applications. How safe are you? By using a technique called SQL injections, hackers can wreak havoc with web applications by compromising security, manipulating data, hoarding system resources, retrieving sensitive information, and manipulate data database objects such as dropping databases!
During the demo, we will take on a couple of different roles. As a hacker we will walk through steps a hacker might take to compromise a web application in order to retrieve sensitive data such as credit card information, usernames, passwords, and social security numbers. Assuming the role of a developer, we will then show various prevention techniques and their effectiveness in preventing SQL injections.
Attend this session to learn how SQL injections work, identify if you are being attacked, and how to stop them.
Update: Thank you to everyone who attended my session. We had a full room! 🙂
As requested, you can download the presentation and scripts here.
Mastering Master Data Services
As your organization grows, one challenge will be the management of data between systems and organizational units. With MDS, Microsoft provides the ability to have one accurate source of non-transactional data. This data can then be used within applications, other databases, and ETL processes. By leveraging data stewards to help manage the data repository, you can ensure that your MDS data is always up-to-date and accurate.
In this presentation we will cover MDS from start to finish including installation, creating models/entities, working with data, using the Excel add-in, security, hierarchies, views, versions, and business rules. After this presentation, you will have a good understanding of what master data management is, what MDS does, how to use it, and how to get started with your own MDS project.
To register for this event and to find additional information, you can visit the SQL Saturday Huntington Beach page here:
So here is an idea. Database servers take the incoming SQL query and run it through a parser resulting in a parse tree. Then they turn the tree into a plan and execute the plan.
The essence of injection is that the parser produces a tree different from the one intended by the programmer.
So the fix is to be able to detect unusual parse trees. Walk the tree after parsing and produce a string in canonical form minus the data values. Compute a SHA hash of the string. Keep a table of known hashes for the application/database user. Warn or abort if the server sees an unknown hash.
Obviously, there is a startup problem. So the programmer would have to run the application in a testing mode, extract the hashes after exhaustive testing, and the load the server with the hashes on application startup. Then turn on abort-on-new-hash and no more SQL injection should be possible.