http://blogs.technet.com/b/rhalbheer/archive/2008/12/22/sql-injection-again.aspxThis week I had – again – a longer mail thread on SQL Injection attacks. Probably it caught me at the wrong moment, as it was a very long week preparing for the IE Out of Band making sure everybody knows what they have to do. And then… I was actuallyen-USTelligent Evolution Platform Developer Build (Build: 5.6.50428.7875)http://blogs.technet.com/b/rhalbheer/archive/2008/12/22/sql-injection-again.aspx#3172167Mon, 22 Dec 2008 16:26:09 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3172167Paschal<p>Hi Roger, now one thing to add. I said also that I wish Microsft realease a future version of SQL Server where all the dnagerous bits are locked by DEFAULT. A bit like Windows Server 2008 where it's up to the user to choose what he wants to open.</p> <p>Things like EXECUTE or SELECT on the Master table should be locked!</p> <p>Remember I am the only person availabel in my organization, and I am surely n ot the only one working like that. so my job consists of DBA, Programmer, IT, Firewall guru, etc...</p> <p>So it has been a a pretty tough ride recently with things that should not be there from the beginning.</p> <p>Another thing I didn't know about is the 'httponly' attribut in we configuration files to lock the cookies in read only mode.</p> <p>Web config files have a huge number of methods, parameters and attributes and it's very hard to know all of them. I am proud to say I learn every day, but the same than SQL if cookies can execute their code, they shouldn't be allowed to do that by DEFAULT.</p> <p>Thanks</p> <p>Paschal</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3172167" width="1" height="1">