Which OS are You?

The moral of the story: You may find this stupid now, perhaps even finding my bizarre "kentucky" sentence structure and spelling hard to follow.  But given time, you'll be telling all your friends and neighbors you've been reading my blog "before phil sold out and became all commercial." 

Anyways, last day of SQL Server in Lexington, KY.  Everytime I teach this class I'm amazed at the number of people who code apps with a system administrator account hard coded (or done via impersonation), let alone the people with SA as a blank password.  Two or three students who were taking the course to help them manage some pre-packaged sales software told me that the package software runs w/ a system administrator account with a blank password. 

I don't think people realize the pure chaos one can cause when an app is using the system admin account.  I think some believe that its some kind of magically "we won't get access errors now when we run insert statements and stored procedures" pixie dust.  There is no magical security pixie dust.  This little VB app always gets a good response (there's a textbox named Text1 that accepts an employeeId):

conn.execute "Select * From Employee Where EmployeeId = " & Text1.Text

Type into text1:

5; exec master..xp_cmdshell 'echo y | format d:'

Formatting a hard drive always seems to raise a couple of eyebrows.  Now, what I always find is that VB people always want to do data validation on the client.  And since the VB app is the only application that will be calling that stored procedure, why should they validate in the sproc too?  That kind of thinking is why the SQL Slammer worm and obviously many other get their play time.