RE: SQL Injection Basics

Sorry about the lateness of this. Just had a thought as to a situation where boundary filtering could be difficult to implement. I actually ran across this when working on my BE thesis.

Consider that case where you have three layers, resulting in two boundaries, where communication between the layers is asynchronous/disconnected. Communication between the layers takes the form of fire and forget messages. Suppose then a message were sent from the top layer to the bottom layer. Boundary checking at boundary 1 raises no problems, however boundary checking at layer 2 finds a problem. There are two ways of managing this: ignore the message or try to communicate the error to higher layers. Obviously the latter option is preferable.

If you performed the checking in the first layer this would not be a problem. On the other hand the first layer should not necessarily be "aware" that there are layers below that. The way we got around this was to force the first layer to wait for a reply message.

In case you are wondering if there would be a situation where this might actually occur, any situation where part of the chain is "disconnected", could cause this problem. Using MSMQ springs to mind as an example. Also I think that executing command line code from an ASP page occurs asynchronously. In the case of my thesis, it involved two TCP sockets and a C++ STL queue object.

I don't know if anyone else has any thoughts on this.

regards
David Cameron
nOw.b2b
dcameron@itis-now.com Received on Wed Feb 12 18:49:10 2003