SQL Injection


SQL Injection (SQLi) refers to an injection attack wherein an attacker can execute malicious SQLstatements (also commonly referred to as a malicious payload) that control a web application’s database server. Such attack affects any website or web application.

An attacker can bypass a web application’s authentication and authorization mechanisms and retrieve the contents of an entire database. SQL injection can also be used to add, modify and delete records in a database.

In a 2012 study, it was observed that the average web application received 4 attack campaigns per month, and retailers received twice as many attacks as other industries.

A SQL injection needs two conditions to exists :

  • A relational database that uses SQL
  • A user controllable input which is directly used in an SQL query.

Subclasses of SQLi –

  1. Classic SQLi
  2. Blind or Inference SQLi
  3. Database management system-specific SQLi
  4. Compounded SQLi



Here user need to provide user name and password, if attacker provides ‘or 0=0’ as the username and password then the query will be like this.


Since the inputs provided by the attacker are valid in all circumstances, the query will return all records in the database.

And by this way an attacker will be able to view the sensitive information.

How to prevent SQLi—

  • Adopt an input validation technique where user input is checked against a set of rules.
  • Users should have least privileges on the database.
  • Don’t use ‘SA’ accounts for web applications.
  • Need to have application specific database user accounts.
  • Remove all stored procedures which are not in use.



Troubleshooting “SQL Server Database Is In Recovery Pending State”


Users of SQL Server Database must be aware of Recovery states, that occurs when there is unintentional dropped SQL table or any other components that needs to be restored. The SQL Server Database is in recovery pending state at situations like restart of SQL Server, offline & online state of database or while restoring database from a backup. However, if there is any issue during this recovery process, error can be Read the rest of this entry »

Leave a comment

Posted by on August 30, 2016 in backups, problems



SQL Server 2016 Row Level Security and its Implementation

Security has been always one the main concern by MS SQL Server. All the releases of SQL Server have some new security feature or enhancement of an existing feature. Similarly, the latest edition of SQL Server 2016 has many security features such as Always Encrypted, enhancement of Transparent Data Encryption, Dynamic Data Masking, and Row-Level Security are added.

Read the rest of this entry »

1 Comment

Posted by on July 18, 2016 in SQL Server 2016



SQL Server Management Studio July 2016 Hotfix Update

If you download the July release of SQL Server Management Studio 2016 Please go and download the SQL Server Management Studio July 2016 Hotfix update from here
It is a very important fix that resolve issues produced in the July update that causes you miss important commands in the right-click menu on tables and stored procedures
Here are the Linked customer bug requests:


Leave a comment

Posted by on July 14, 2016 in General topics


Alwayson Availability Groups for Disaster Recovery Solutions


There are many users, who are not aware about disaster recovery planning with always-on availability groups. Even they do not know the terms that come in the utilization of Always-On Availability groups for disaster recovery planning. In the following section, we will discuss about the always-on availability groups for resolving the disaster Read the rest of this entry »



Help! I have -2, -3, or -4 Session ID!

We can kill a session by using KILL command. However, KILL command requires a positive number; executing KILL with negative number returns an error:

Msg 6101, Level 16, State 1, Line 1
Session ID -4 is not valid.

In order to kill the session ID, you need to find the unit of work (UOW) guid.

SELECT DISTINCT(request_owner_guid) AS UOW
  FROM sys.dm_tran_locks
 WHERE request_session_id IN (-2,-3,-4)

Now you can kill this using UOW:

KILL 'D5499C66-E398-45CA-BF7E-DC9C194B48CF'

Like all normal transactions, killing a session causes any work performed by it to be rolled back to bring the database back into consistent state.

The negative session ID are orphaned or stuck sessions that SQL Server; they are rare occurrences. Most often the only one I have seen is -2; what do they mean?

Session ID Description
-2 The blocking resource is owned by an orphaned distributed transaction.
-3 The blocking resource is owned by a deferred recovery transaction.
-4 Session ID of the blocking latch owner could not be determined due to internal latch state transitions.

Reference: Books Online, sys.sysprocesses (Transact-SQL)

This post is cross posted on my SQLCAN Blog, MSDN Blog, and SQL server Consultation blog.

Leave a comment

Posted by on June 22, 2016 in SQl server Administration


Tags: , , , ,

Dissecting SQL Server Execution Plans

I remember my days before, Microsoft SQL Server PFE.  I wanted to learn everything and know everything about SQL Server.  However, getting hold of good resources was tough, as I didn’t have any mentor when I started down my journey to becoming a SQL Server Database Administrator. 

Along the way I did pick up lots of books and references.  One of such books is Dissecting SQL Server Execution Plans. 

I read this book before becoming PFE, I read this now, and I recommend everyone read this book more then once. 

Grant Fritchey (Blog|Twitter) wrote the book back in 2008; I would still recommend take ready.  This book will only help you be better DBA and Developer.

SQL Central, Jeff Moden, Dissecting SQL Server Execution Plans

Amazon, SQL Server Execution Plans

SQL Central, Red Gate, EBook

This post is cross posted on my SQLCAN Blog, MSDN Blog, and SQL server Consultation blog.

Leave a comment

Posted by on June 1, 2016 in Performance MSSQL


Tags: ,