SQL Server must check the validity of data inputs.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-41424	SQL2-00-022500	SV-53953r3_rule		Medium

Description
Invalid user input occurs when a user inserts data or characters into an application’s data entry fields and the application is unprepared to process that data. This results in unanticipated application behavior potentially leading to an application or information system compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. SQL Server needs to validate the data user’s attempt to input to the application for processing. Rules for checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, acceptable values) are in place to verify inputs match specified definitions for format and content. Inputs passed to interpreters are prescreened to prevent the content from being unintentionally interpreted as commands. A poorly designed database system can have many problems. A common issue with these types of systems is the missed opportunity to use constraints. While this matter is of great importance to the secure operation of database management systems, the DBA in a typical installation will communicate with the application development/support staff to obtain assurance that this requirement is met.

Description

Invalid user input occurs when a user inserts data or characters into an application’s data entry fields and the application is unprepared to process that data. This results in unanticipated application behavior potentially leading to an application or information system compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. SQL Server needs to validate the data user’s attempt to input to the application for processing. Rules for checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, acceptable values) are in place to verify inputs match specified definitions for format and content. Inputs passed to interpreters are prescreened to prevent the content from being unintentionally interpreted as commands. A poorly designed database system can have many problems. A common issue with these types of systems is the missed opportunity to use constraints. While this matter is of great importance to the secure operation of database management systems, the DBA in a typical installation will communicate with the application development/support staff to obtain assurance that this requirement is met.

STIG	Date
Microsoft SQL Server 2012 Database Security Technical Implementation Guide	2016-06-24

Details

Check Text ( C-47958r2_chk )
Review SQL Server field definitions, constraints, and foreign keys to determine whether or not data being input into the database is valid. If field definitions are not reflective of the data, this is a finding. If column data types are not assigned correctly where required within the database, this is a finding. If columns do not contain reasonable constraints based on column use, this is a finding.

Check Text ( C-47958r2_chk )

Review SQL Server field definitions, constraints, and foreign keys to determine whether or not data being input into the database is valid.
If field definitions are not reflective of the data, this is a finding.

If column data types are not assigned correctly where required within the database, this is a finding.

If columns do not contain reasonable constraints based on column use, this is a finding.

Fix Text (F-46852r2_fix)
Use triggers, constraints, foreign keys, etc. to validate data input. Modify SQL Server to properly use the correct column data types as required in the database.