RE: SQL Injection Basics

["David Cameron" <dcameron () itis-now com>]

Sorry about the lateness of this. Just had a thought as to a situation where boundary filtering could be difficult to 
implement. I actually ran across this when working on my BE thesis.

Consider that case where you have three layers, resulting in two boundaries, where communication between the layers is 
asynchronous/disconnected. Communication between the layers takes the form of fire and forget messages. Suppose then a 
message were sent from the top layer to the bottom layer. Boundary checking at boundary 1 raises no problems, however 
boundary checking at layer 2 finds a problem. There are two ways of managing this: ignore the message or try to 
communicate the error to higher layers. Obviously the latter option is preferable.

If you performed the checking in the first layer this would not be a problem. On the other hand the first layer should 
not necessarily be "aware" that there are layers below that. The way we got around this was to force the first layer to 
wait for a reply message.

In case you are wondering if there would be a situation where this might actually occur, any situation where part of 
the chain is "disconnected", could cause this problem. Using MSMQ springs to mind as an example. Also I think that 
executing command line code from an ASP page occurs asynchronously. In the case of my thesis, it involved two TCP 
sockets and a C++ STL queue object. 

I don't know if anyone else has any thoughts on this.

regards
David Cameron
nOw.b2b
dcameron () itis-now com