Information
Always validate user input received from a database client or application by testing type, length, format, and range prior to transmitting it to the database server.
Rationale:
Sanitizing user input drastically minimizes risk of SQL injection.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
The following steps can be taken to remediate SQL injection vulnerabilities:
Review TSQL and application code for SQL Injection
Only permit minimally privileged accounts to send user input to the server
Minimize the risk of SQL injection attack by using parameterized commands and stored procedures
Reject user input containing binary data, escape sequences, and comment characters
Always validate user input and do not use it directly to build SQL statements
Impact:
Sanitize user input may require changes to application code or database object syntax. These changes can require applications or databases to be taken temporarily off-line. Any change to TSQL or application code should be thoroughly tested in testing environment before production implementation.
References:
https://owasp.org/www-community/attacks/SQL_Injection
https://docs.microsoft.com/en-us/previous-versions/sql/sql-server-2008/ms161953(v=sql.100)
https://docs.microsoft.com/en-us/previous-versions/sql/sql-server-2008-r2/ms161953(v=sql.105)