Security Center for SQL Server Database Engine and Azure SQL Database
Updated: November 23, 2015
Applies To: Azure SQL Database, SQL Server 2016 Preview
This page provides links to help you locate the information that you need about security and protection in the SQL Server Database Engine and Azure SQL Database.
Who Authenticates? (Windows or SQL Server)
Authenticate at the master database (Logins and database users)
Authenticate at a user database
Using Other Identities
Granting, Revoking, and Denying Permissions
Security by Roles
Restricting Data Access to Selected Data Elements
Column, Data, & Key Encryption
Encrypting Data in Transit
SQL injection is an attack in which malicious code is inserted into strings that are later passed to the Database Engine for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. All database systems have some risk of SQL Injection, and many of the vulnerabilities are introduced in the application that is querying the Database Engine. You can thwart SQL injection attacks by using stored procedures and parameterized commands, avoiding dynamic SQL, and restricting permissions on all users. For more information, see SQL Injection.
Additional links for application programmers: