This is more of a curiosity. I'll explain the reason for it in a minute, but my question is...
If a hacker began sending commands to insert, lets say, 20 million records into a sql server (2008 R2) database table, every second. What would happen? How does SQL Server handle that? Would it bring down just that particular database, or would it choke off the entire server, potentially bringing down all databases on that sql server? I'm guessing sql server has security in place to prevent such a disaster, but just curious how serious it would be
The reason for my question, is we have a programmer at our company who wrote a website with one absolutely terrible security loophole. It's an ordering website, where one feature is the user can go into their order & add additional quantities of an item they've already ordered. These items being ordered are very specific to the industry we're in, so it's not as simple as updating an ordered item "Quantity" field in the database. Instead, for each new quantity added to an order, a new record for that item needs to be inserted into a table.
So, the other day, I was reviewing his website code for another issue, when I realized this quantity insert he's doing, originates from a url that looks like the following, which has a "Quantity" parameter within it:
http://www.OurSite.com/OrderDetails?orderid=55555&itemid=18&quantity=2
I realized if I copy that url and change the quantity to 10 or 1000 or even 10000000, it still inserts that number of new records into the database table. Even worse, I don't have to be logged into the website to do so. Any random user can copy & paste this & hit enter as often as they want. And the absolute WORSE PART...the url is from a jQuery postback, meaning that url can be seen by anyone who views the page's html source code or has an html proxy server, such as Fiddler open!
Sorry for the long rant, but anyway, to my original question....how would sql server handle an attack like this? How serious would it be?
Thanks