I am being challenged by security to ensure that SharePoint is not vulnerable to SQL injection attacks. I have seen a couple of older documents suggesting that as long as the IIS is patched properly, SQL injection attacks are unlikely, but I don't seem
to find any supporting current documentation. Does anyone have any suggestions?
Out of the box, SharePoint 2010 has no known SQL Injection vulnerabilities. You are right in so much as you should take steps to protect the hosting IIS server, and ensure that all security updates are applied. SQL Injection is much more likely when custom
code is deployed within the SharePoint environment. There is no direct passing of input data from the query string or POST back to SQL server within SharePoint 2010.Cheers
Microsoft Certified Master | SharePoint 2010
Microsoft Certified Master | SharePoint 2007
Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.