WebApp Sec mailing list archives
RE: SQL Injection Basics
From: "David Cameron" <dcameron () itis-now com>
Date: Thu, 13 Feb 2003 09:29:24 +1100
Sorry about the lateness of this. Just had a thought as to a situation where boundary filtering could be difficult to implement. I actually ran across this when working on my BE thesis. Consider that case where you have three layers, resulting in two boundaries, where communication between the layers is asynchronous/disconnected. Communication between the layers takes the form of fire and forget messages. Suppose then a message were sent from the top layer to the bottom layer. Boundary checking at boundary 1 raises no problems, however boundary checking at layer 2 finds a problem. There are two ways of managing this: ignore the message or try to communicate the error to higher layers. Obviously the latter option is preferable. If you performed the checking in the first layer this would not be a problem. On the other hand the first layer should not necessarily be "aware" that there are layers below that. The way we got around this was to force the first layer to wait for a reply message. In case you are wondering if there would be a situation where this might actually occur, any situation where part of the chain is "disconnected", could cause this problem. Using MSMQ springs to mind as an example. Also I think that executing command line code from an ASP page occurs asynchronously. In the case of my thesis, it involved two TCP sockets and a C++ STL queue object. I don't know if anyone else has any thoughts on this. regards David Cameron nOw.b2b dcameron () itis-now com
Current thread:
- RE: SQL Injection Basics, (continued)
- RE: SQL Injection Basics Patrick Debois (Feb 11)
- RE: SQL Injection Basics Logan F.D. Greenlee (Feb 11)
- RE: SQL Injection Basics Mark Mcdonald (Feb 11)
- Re: SQL Injection Basics Jim McGarvey (Feb 11)
- Re: SQL Injection Basics Mark Curphey (Feb 11)
- Re: SQL Injection Basics Jim McGarvey (Feb 12)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 12)
- Re: SQL Injection Basics Jim McGarvey (Feb 11)
- RE: SQL Injection Basics David Cameron (Feb 11)
- RE: SQL Injection Basics Mark Mcdonald (Feb 11)
- RE: SQL Injection Basics Jason Benson (Feb 12)
- RE: SQL Injection Basics David Cameron (Feb 12)
- Re: SQL Injection Basics Alex Russell (Feb 12)
- RE: SQL Injection Basics David Cameron (Feb 12)
- RE: SQL Injection Basics Brass, Phil (ISS Atlanta) (Feb 13)
- Re: SQL Injection Basics Bart McKinnley (Feb 14)