Shouldn’t they have fixed that instead of putting out all these new features? That might be what you all thought when you saw the title for today’s episode. SQL Injection is still a big deal in today’s databases and we are pleased to have Bert Wagner on the program to talk with us about how it can affect you and the applications you protect.
One of the most difficult aspects to deal with SQL Injection is to decide who is responsible for dealing with it? Bert does a great job giving us some insights on what he has seen work. We invite you to give us your comments about how you have gone about trying to evade a SQL Injection attack.
“SQL Injection is essentially when you have a dynamic string that you create in SQL that’s getting executed and it ends up doing something that you didn’t intend to do.”
“When it comes to security it never solely depends on one person.”
“It doesn’t even matter if your database is kind of public knowledge or not, someone is going to be able to guess it.”
“The best thing you can do to protect yourself against dynamic SQL Injection attacks is just get rid of dynamic SQL.”
“Once again injection attacks only can happen with dynamic string execution.”
Listen to Learn
00:04 Introduction of the guest speaker (Bert )
00:38 The famous SQL Injection meme
01:19 What is SQL Injection and possible SQL Injection attacks
02:45 How to know if there is SQL Injection attack in your system?
07:43 Thoughts about dynamic strings, sp_executesql, dynamic SQL
10:38 Dynamic SQL and parameter sniffing issue
16:37 Misconceptions about SQL Injection
23:58 Tips on how to prevent SQL Injection
34:21 SQL Family Questions
Bert Wagner is a BI developer who loves optimizing SSRS reports and SQL Server for fast performance. He shares his SQL learnings every week on his blog and YouTube channel at https://bertwagner.com.
Meet the Hosts
With more than 10 years of working with SQL Server, Carlos helps businesses ensure their SQL Server environments meet their users’ expectations. He can provide insights on performance, migrations, and disaster recovery. He is also active in the SQL Server community and regularly speaks at user group meetings and conferences. He helps support the free database monitoring tool found at databasehealth.com and provides training through SQL Trail events.
Eugene works as an independent BI consultant and Pluralsight author, specializing in Power BI and the Azure Data Platform. He has been working with data for over 8 years and speaks regularly at user groups and conferences. He also helps run the GroupBy online conference.
Kevin is a Microsoft Data Platform MVP and proprietor of Catallaxy Services, LLC, where he specializes in T-SQL development, machine learning, and pulling rabbits out of hats on demand. He is the lead contributor to Curated SQL, president of the Triangle Area SQL Server Users Group, and author of the books PolyBase Revealed (Apress, 2020) and Finding Ghosts in Your Data: Anomaly Detection Techniques with Examples in Python (Apress, 2022). A resident of Durham, North Carolina, he can be found cycling the trails along the triangle whenever the weather's nice enough.