WebApp Sec mailing list archives
Re: SQL Injection Basics
From: "dreamwvr () dreamwvr com" <dreamwvr () dreamwvr com>
Date: Tue, 11 Feb 2003 17:17:46 -0700
In 'Solid Software' (Pfleeger et al), they make reference to 'Logical Firewalls', which closely describes this concept from a software POV. (page 138). http://www.amazon.com/exec/obidos/tg/detail/-/0130912980
Yes and at least as early as September 1, 1991 in Building Internet Firewalls describes this concept and the associated Application proxies. Which this is really a dirivative of. We find as well IIR that boundary filtering was referred to or simular wording as early as the Original Firewall 1 list at least. Ala Chris Breton IIR. a thread we had. The important thing is that applications are filtered in some way. Conceptionally this is really a rehash of application proxies. Since AFAIK and I am not a SQL security guru or anything. But we are interested in controlling data input from the client and sanitizing it pre injection into the .db. This while preserving the intent of the query or field if valid reducing the risk of data poisoning due to tainted values being injected into our perfectly good database? whew. ;-) This whereby we create a 'boundary' that filters between the client application and the database server. This acting as a intuitive middleman for interactions. We 'filter' these results or if you like data entry. Well that is what the job of a application proxy is by definition. AND | && | & I was not refering to MSProxy of something that says it is one and is not really doing the job it was implied to do. Sending directly to the list as it takes less finger movement and their getting tired.:-) Best Regards, dreamwvr () dreamwvr com -- /* Security is a work in progress - dreamwvr */ # # Note: To begin Journey type man afterboot,man help,man hier[.] # // "Who's Afraid of Schrodinger's Cat?" /var/(.)?mail/me \? ;-]
Current thread:
- Re: SQL Injection Basics, (continued)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics Alex Russell (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
- Re: SQL Injection Basics Sverre H. Huseby (Feb 11)
- Re: SQL Injection Basics Alex Russell (Feb 11)
- Re: SQL Injection Basics Jerry Connolly (Feb 11)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 11)
- Re: SQL Injection Basics Jerry Connolly (Feb 11)
- Re: SQL Injection Basics Ken Anderson (Feb 11)
- Re: WebSleuth and the SQLInjeciton Plugin Chip Andrews (Mar 10)