Welcome to Julian Kuiters Sunday, May 27 2018 @ 01:31 PM AEST

SQL Truncation Attacks

  • Contributed by:
SQL Server 2005

SQL injection attacks are nothing new and hopefully everyone is protecting themselves from it.

An interesting by-product of the standard method of protection from the basic sql injection attack (replace single quotes with two single quotes) is increasing the size of the original value. When building a command in a variable, its possible to truncate the original WHERE conditions allowing the attacker to affect much more data than the developer intended.

Bala Neerumalla has written a detailed article for MSDN Magazine with background on the attack methods, some excellent examples, and methods for detecting and preventing SQL Truncation attacks. Definately worth reading and implementing.