Remove From My Forums

SQL Injection attacks on SharePoint 2010

Question

0

Sign in to vote

I am being challenged by security to ensure that SharePoint is not vulnerable to SQL injection attacks. I have seen a couple of older documents suggesting that as long as the IIS is patched properly, SQL injection attacks are unlikely, but I don't seem to find any supporting current documentation. Does anyone have any suggestions?

Thursday, November 18, 2010 5:07 PM

Reply

|

Quote

Answers

2

Sign in to vote
Out of the box, SharePoint 2010 has no known SQL Injection vulnerabilities. You are right in so much as you should take steps to protect the hosting IIS server, and ensure that all security updates are applied. SQL Injection is much more likely when custom code is deployed within the SharePoint environment. There is no direct passing of input data from the query string or POST back to SQL server within SharePoint 2010.
Cheers
Spence
www.harbar.net
Microsoft Certified Master | SharePoint 2010
Microsoft Certified Master | SharePoint 2007
- Marked as answer by John Burkholder n8ivwarrior Friday, November 19, 2010 9:10 PM
Thursday, November 18, 2010 10:39 PM

Reply

|

Quote