none
SQL Injection attacks on SharePoint 2010

    Question

  • I am being challenged by security to ensure that SharePoint is not vulnerable to SQL injection attacks. I have seen a couple of older documents suggesting that as long as the IIS is patched properly, SQL injection attacks are unlikely, but I don't seem to find any supporting current documentation. Does anyone have any suggestions?
    Thursday, November 18, 2010 5:07 PM

Answers

  • Out of the box, SharePoint 2010 has no known SQL Injection vulnerabilities. You are right in so much as you should take steps to protect the hosting IIS server, and ensure that all security updates are applied. SQL Injection is much more likely when custom code is deployed within the SharePoint environment. There is no direct passing of input data from the query string or POST back to SQL server within SharePoint 2010.
    Cheers
    Spence
    www.harbar.net
    Microsoft Certified Master | SharePoint 2010
    Microsoft Certified Master | SharePoint 2007
    Thursday, November 18, 2010 10:39 PM