Login or Register to Ask a Question and Join Our Community


Security Advisories (RSS) - Microsoft

Microsoft Security Advisory (954462): Rise in SQL Injection Attacks Exploiting Unveri

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Special Forums Windows & DOS: Issues & Discussions Security Advisories (RSS) - Microsoft Microsoft Security Advisory (954462): Rise in SQL Injection Attacks Exploiting Unveri
# 1  
Old 06-25-2008
Microsoft Security Advisory (954462): Rise in SQL Injection Attacks Exploiting Unveri
Revision Note: June 25, 2008: Removed erroneous references to form field and cookie value testing from the HP Scrawlr tool description. Advisory Summary:Microsoft is aware of a recent escalation in a class of attacks targeting Web sites that use Microsoft ASP and ASP.NET technologies but do not follow best practices for secure Web application development. These SQL injection attacks do not exploit a specific software vulnerability, but instead target Web sites that do not follow secure coding practices for accessing and manipulating data stored in a relational database. When a SQL injection attack succeeds, an attacker can compromise data stored in these databases and possibly execute remote code. Clients browsing to a compromised server could be forwarded unknowingly to malicious sites that may install malware on the client machine.

More...
Login or Register to Ask a Question

Previous Thread | Next Thread
Login or Register to Ask a Question

LEARN ABOUT PHP

sqlsrv_errors

SQLSRV_ERRORS(3)														  SQLSRV_ERRORS(3)

sqlsrv_errors - Returns error and warning information about the last SQLSRV operation performed

SYNOPSIS

       mixed sqlsrv_errors ([int  $errorsOrWarnings])

DESCRIPTION

	Returns error and warning information about the last SQLSRV operation performed.

PARAMETERS

	      o $errorsOrWarnings
		-  Determines  whether error information, warning information, or both are returned. If this parameter is not supplied, both error
		information and warning information are returned. The following are the supported values for this parameter: SQLSRV_ERR_ALL,  SQL-
		SRV_ERR_ERRORS, SQLSRV_ERR_WARNINGS.

RETURN VALUES

	If errors and/or warnings occurred on the last sqlsrv operation, an array of arrays containing error information is returned. If no errors
       and/or warnings occurred on the last sqlsrv operation, NULL is returned. The following  table  describes  the  structure  of  the  returned
       arrays:

       Array returned by sqlsrv_errors

       +---------+---------------------------------------------------+
       |  Key	 |						     |
       |	 |						     |
       |	 |		      Description		     |
       |	 |						     |
       +---------+---------------------------------------------------+
       |SQLSTATE |						     |
       |	 |						     |
       |	 | For	errors	that originate from the ODBC driver, |
       |	 | the SQLSTATE returned by ODBC.  For	errors	that |
       |	 | originate  from the Microsoft Drivers for PHP for |
       |	 | SQL Server, a SQLSTATE  of  IMSSP.  For  warnings |
       |	 | that originate from the Microsoft Drivers for PHP |
       |	 | for SQL Server, a SQLSTATE of 01SSP. 	     |
       |	 |						     |
       |  code	 |						     |
       |	 |						     |
       |	 | For errors that originate from  SQL	Server,  the |
       |	 | native  SQL	Server	error  code. For errors that |
       |	 | originate from the ODBC driver,  the  error	code |
       |	 | returned  by ODBC. For errors that originate from |
       |	 | the Microsoft Drivers for PHP for SQL Server, the |
       |	 | Microsoft  Drivers  for  PHP for SQL Server error |
       |	 | code.					     |
       |	 |						     |
       |message  |						     |
       |	 |						     |
       |	 |	      A description of the error.	     |
       |	 |						     |
       +---------+---------------------------------------------------+
EXAMPLES

       Example #1

	      functionname(3) example

	      <?php
	      $serverName = "serverName/sqlexpress";
	      $connectionInfo = array( "Database"=>"dbName", "UID"=>"username", "PWD"=>"password");
	      $conn = sqlsrv_connect( $serverName, $connectionInfo);
	      if( $conn === false ) {
		   die( print_r( sqlsrv_errors(), true));
	      }

	      /* Set up a query to select an invalid column name. */
	      $sql = "SELECT BadColumnName FROM Table_1";

	      /* Execution of the query will fail because of the bad column name. */
	      $stmt = sqlsrv_query( $conn, $sql );
	      if( $stmt === false ) {
		  if( ($errors = sqlsrv_errors() ) != null) {
		      foreach( $errors as $error ) {
			  echo "SQLSTATE: ".$error[ 'SQLSTATE']."<br />";
			  echo "code: ".$error[ 'code']."<br />";
			  echo "message: ".$error[ 'message']."<br />";
		      }
		  }
	      }
	      ?>

NOTES

	By default, warnings generated on a call to any SQLSRV function are treated as errors. This means that if a warning occurs on a call to  a
       SQLSRV  function, the function returns FALSE. However, warnings that correspond to SQLSTATE values 01000, 01001, 01003, and 01S02 are never
       treated as errors. For information about changing this behavior, see sqlsrv_configure(3) and the WarningsReturnAsErrors setting.

SEE ALSO

       sqlsrv_configure(3).

PHP Documentation Group 													  SQLSRV_ERRORS(3)