February 3, 2009 at 9:20 am
I hang around in this forum so that I can learn. I know a bit. But that does not mean I dont ask basic stupid questions. 😀
-Roy
February 3, 2009 at 9:54 am
I hope you guys realise I'm not being overly serious in trusting points etc.
But I will say this from a position of having to gauge people’s ability in a hectic company.
Jonathan Kehayias (2/3/2009)
There are plenty of decent DBA/Developers out there that don't know about SQL Injection. Just look at the number of major sites that have been hit by it.
They would not be employed.
If a person going for a role as DBA/developer does not know about something as basic as SQL injection, to the point of not even being able to comment on it they will struggle.
A lot of sites have been hit I know, we’ve had a few. Being in a company which has been going since before www, every so often a site crops up which was built by someone 10 years ago, which nobody remembers and has just been gathering dust.
Built before current standards and understanding of the underlying vulnerabilities when linked to a SQL DB.
But being a business we can’t go on supporting something built before standards were improved.
They are like Windows 95, we can no longer support them.
We can try to plug holes, but if they want to meet todays standard both technically and aesthetically its time for an upgrade.
February 3, 2009 at 10:00 am
NotManyPoints (2/3/2009)
Jonathan Kehayias (2/3/2009)
There are plenty of decent DBA/Developers out there that don't know about SQL Injection. Just look at the number of major sites that have been hit by it.They would not be employed.
So sure are you?
Maybe they wouldn't be employed by you, maybe you've got very high standards, but that's not true everywhere.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
February 3, 2009 at 10:20 am
Keep in mind that a few years back SQL Injection wasn't a main stream subject, and most DBA's that I know and consult with have been in place for 3-5 years currently. I am never surprised to find a DBA who has 8+ yrs experience and is very talented but don't have more than a rudimentary concept of SQL Injection. Unless they stay plugged into the community, which lets face it, alot of DBA's are introverts who love to sit in their own cube space and be left alone with their servers and databases, they have no real reason to know about the subject.
Even with the amount of attention it has gotten in the last few years, you still find lots of code in the forums and online that is susceptable to SQL Injection. Why? Because it is easier to write, and it is how developers think in terms of application code. Its one of the reasons that I don't allow any table access in new systems at my job. This is the only way to completely protect against SQL Injection since all code now sits in the database as stored procedures. Take a look at a lot of your ISV apps that are very common in the business world today, and you will see that most don't follow well known and established best practices for data access. You might have the luxury of having full control over your specific environment through home built code, but not everyone fits that mold.
Jonathan Kehayias | Principal Consultant | MCM: SQL Server 2008
My Blog | Twitter | MVP Profile
Training | Consulting | Become a SQLskills Insider
Troubleshooting SQL Server: A Guide for Accidental DBAs[/url]
February 3, 2009 at 10:33 am
maybe you've got very high standards, but that's not true everywhere.
This is why so called DBA's can exist because standards can be low. They then end up in a blind panic asking questions on a site like this without doing any basic background research.
But I’d also question the lack of ingenuity of such a question. Google ‘SQL Injection’, first hit Wiki. 1 second of effort to find, quite informative (10 mins to read).
So if Paresh wants a good start point try wiki. Or the search on this site which has many worthy reads.
Such as this one http://qa.sqlservercentral.com/articles/Security/sqlinjection/1269/ (note the first sentence).
Being an introverts is also no excuse for a lack of ingenuity and basic research. Unless they are based in the arctic and are isolated from the internet entirely. In which case SQL injection would not be a concern really…as would being able to use this forum… :ermm:
February 3, 2009 at 10:44 am
NotManyPoints (2/3/2009)
maybe you've got very high standards, but that's not true everywhere.
This is why so called DBA's can exist because standards can be low. They then end up in a blind panic asking questions on a site like this without doing any basic background research.
But I’d also question the lack of ingenuity of such a question. Google ‘SQL Injection’, first hit Wiki. 1 second of effort to find, quite informative (10 mins to read).
So if Paresh wants a good start point try wiki. Or the search on this site which has many worthy reads.
Such as this one http://qa.sqlservercentral.com/articles/Security/sqlinjection/1269/ (note the first sentence).
Being an introverts is also no excuse for a lack of ingenuity and basic research. Unless they are based in the arctic and are isolated from the internet entirely. In which case SQL injection would not be a concern really…as would being able to use this forum… :ermm:
Bit harsh. I worked with a SQL Server system where SQL Injection was not a concern. It actually interacted with the web, albeit indirectly, so there are numerous systems between it that eliminated the concern of SQL Injection. To judge the abilities of a SQL DBA as you are does not give them credit where it is due. As more databases begin interacting directly with Web-based applications, then we as DBA's need to begin learning more about such things as SQL Injection. Personally, I have heard about for several years but have not had to be concerned with it as yet in my work. But rest assured, I try to learn more about it so I can fight it when the time comes for me to be concerned about it.
February 3, 2009 at 11:08 am
I guess after this usefull info the question becomes:
Has the OP learnt anything or was the English over his head?
February 3, 2009 at 11:16 am
Lynn, yes possibly I was a little harsh, but if it does not kill us it makes us stronger blah, blah…..
To know it was not a concern you must have had a vague idea of what it was.
I'm not asking that everyone knows precisely how to deal with it or the exact syntax of a possible injection. More that they have an awareness and be somewhat ‘up to speed’ as it were in their chosen profession.
Also don’t get me wrong I quite often have to blag my way through some technical encounter. But I do some basic research, before just throwing my hands in the air and posting a question to the world.
ex__inferis now your comment could be seen as very harsh, at least I never questions an ability to read the replies:)
February 3, 2009 at 11:28 am
I don't mean to sound derogatory towards the OP at all. Not everyone's first language is English (mine isn't). And out of those people a large percentage are less than fluent in them to the extent that using "difficult words" (that is, words that someone posting in the way the OP posted might have trouble understanding) might make him give up.
So in a way I am not critisizing him. I'm actually critisizing all of you for replying, however correctly and kindly, in a way that someone doing his best typing English might have a hard time understanding.
Then again:
- Hardly a good start of my posting career on this forum :p
- I don't know his English reading skills.
Carry on. I'll go back to lurking until I have something tangible to contribute 🙂
February 3, 2009 at 11:34 am
NotManyPoints (2/3/2009)
Lynn, yes possibly I was a little harsh, but if it does not kill us it makes us stronger blah, blah…..To know it was not a concern you must have had a vague idea of what it was.
I'm not asking that everyone knows precisely how to deal with it or the exact syntax of a possible injection. More that they have an awareness and be somewhat ‘up to speed’ as it were in their chosen profession.
Also don’t get me wrong I quite often have to blag my way through some technical encounter. But I do some basic research, before just throwing my hands in the air and posting a question to the world.
ex__inferis now your comment could be seen as very harsh, at least I never questions an ability to read the replies:)
offtopic
Then you haven't been involved in a thread where the OP was using BABELfish to translate between Spanish and English. That one was a very interesting thread to try and help someone on. I finally had to "give up" as I just couldn't get past the language barrier. I really need to learn Spanish, not just for soccer any more, but here as well.
/offtopic
February 3, 2009 at 12:04 pm
ex__inferis (2/3/2009)
So in a way I am not critisizing him. I'm actually critisizing all of you for replying, however correctly and kindly, in a way that someone doing his best typing English might have a hard time understanding.
Since we're all doing such a bad job, I guess you're going to have to step up to the plate and show us how it's done.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
February 3, 2009 at 12:13 pm
NotManyPoints (2/3/2009)
More that they have an awareness and be somewhat ‘up to speed’ as it were in their chosen profession.
Would that go for every aspect of the database field? If so do you have an awareness and are somewhat 'up to speed' on all areas?
I've known a fair few DBAs who new nothing about SQL injection. They were admins, in every sense of the word (backups, jobs, space, availability, etc). Injection was more my concern (been half-way between DBA and developer) and that of the developers.
They were very good at what they did. Does a lack of knowledge of some development aspects make the bad DBAs?
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
February 3, 2009 at 12:23 pm
The problem is that DBAs are generalized and they all fall under one category. That is they know everything. I dont think that is right. Everyone has their own specialty. Some like Gail said are good as production DB who just makes sure that the DB is up and running. Another one might be good at replication.
-Roy
February 3, 2009 at 12:43 pm
GilaMonster (2/3/2009)
ex__inferis (2/3/2009)
So in a way I am not critisizing him. I'm actually critisizing all of you for replying, however correctly and kindly, in a way that someone doing his best typing English might have a hard time understanding.Since we're all doing such a bad job, I guess you're going to have to step up to the plate and show us how it's done.
Hmm, I guess my comment didn't come across the way I hoped. It made so much more sense in my head. Lets leave it at "you're right, I'm wrong and I humbly apologise". Okay?
February 3, 2009 at 12:54 pm
GilaMonster (2/3/2009)
NotManyPoints (2/3/2009)
More that they have an awareness and be somewhat ‘up to speed’ as it were in their chosen profession.Would that go for every aspect of the database field? If so do you have an awareness and are somewhat 'up to speed' on all areas?
Not had to post a silly (find answer on internet, in 1 second) question yet, but still time I guess.
The key word in my statement was 'awareness', I'm not expecting they get down and dirty with code. But have an awareness of what is in this case something quite important across most aspects of working with a database, development or administration (and all the shades of grey between).
Roy Ernest (2/3/2009)
The problem is that DBA’s are generalized and they all fall under one category.
What are the categories?
DBA to turn the server on.
DBA to make sure the light stays on.
DBA to shout if the light goes off.
DBA to turn it on again when the first 'DBA' said they did it last time and would be against regulation to turn it on more than twice a week for fear of RSI.
'DBA.bak' incase any other DBA is on a tea break.
Then you need a DBA to oversee all the other DBA's. Then you have a DBA's Union. Then they go on strike.
May have gone a bit far with this…..
Note to self: must work on "how many DBA's does it take to....” jokes.
Viewing 15 posts - 16 through 30 (of 121 total)
You must be logged in to reply to this topic. Login to reply