|
|
|
What can I do here?
Use this window to configure the web server's level of protection against SQL injection.
|
Getting Here - Object Explorer > New > Host > Servers > Select Web Server > Web Server > Protections > Select SQL Injection > Advanced |
Attack Description
SQL injection attacks allow a remote attacker to execute SQL commands disguised as a URL or form input to a database. A successful attack may get the database to run undesirable commands. This could cause damage by revealing confidential information, modify the database, or even shut it down.
Web Security Protection
Web Security can inspect for the presence of SQL commands in Web forms or URLs sent in HTTP Requests to a server. The protection looks for several categories of commands: distinct SQL commands, non-distinct SQL commands, and special SQL separator characters (e.g., + ' -). Strings that are unique to SQL and not likely to appear in common language are considered distinct (e.g., "sql_longvarchar", "sysfilegroups", etc.). Strings that may appear in common language are considered non-distinct (e.g., "select", "join", etc.).
Depending on the protection level, the search is made either between separators of the path and query sections of the URL, or across the entire path and query. In the path section of the URL, the separator is the / character. In the query section, the separator is the & character.
