SQL used for evil

Yikes. I heard about a website being hacked, probably via SQL injection. This trigger was added:

CREATE TRIGGER tr_Orders_INSERT_InsteadOf ON Orders
AS RAISEERROR("[Microsoft OLE DB Provider for SQL Server] Timeout expired",16,0)

That's a rough one to catch, because it looks to the calling function as if you're getting unexplained timeouts every time you try to add a new row to the Orders table. This is pretty much a “denial of service” type of attack in that it's designed to harm the business rather than steal from it. Not cool.

And while I'm at it, it's not a good idea to have files with non-standard extensions (.bak, .inc, .site) in a web directory since IIS doesn't know about them and will happily serve them up as text files. That can help a hacker find places where you're vulnerable to other attacks such as SQL injection.


Comments have been disabled for this content.