One of the most serious problems I see are SQL injections. While most SQL injections have become less of threat since SQL 2005 it doesn’t mean that they have totally gone away. While SQL injections are not the easiest attacks to pull off there are automated tools to help out and a determined hacker can present formable opponent.
should never be passed in from our web client. If you see these in your IIS logs then you have an attempted attack. If may not signify that it was successful but attempted. To find out whether it was successful I look at following IIS log entries to see what data was being returned to your web client.
USE master SELECT * FROM sys.databases
If passed successfully then the hacker can retrieve all the databases on your SQL server.
USE SomeDatabase SELECT * FROM sys.tables
USE AdventureWorksSELECT * FROM sys.columns
From here we can look for any interesting column name like: ccnumb, ssn, order, etc…
Remember, if they can retrieve the information they can also delete the information on your SQL server.