Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > webappsec > 03 > 020445.html (Request Expert securityfocus.com Support)

RE: SQL Injection Basics

From: David Cameron <dcameron(at)itis-now.com>
Date: Wed Feb 12 2003 - 22:00:30 EST


I suspect I am going beyond the bounds of the original poster's questions, but I'll run with this anyway. I enjoyed your handout.

> I can easily see needs for systems taht provide much more robust feedback

Just one short comment.

I agree that the primary concern of the programmer (in this area) is data integrity, but once that is met, the next concern is usability. Let's take the web app example. A user fills in a form and posts it. As we are running asynchronously there is no information on whether that data has made it to the db successfully or not. If they then examine a page that reports on that data, they may be surprised to find that it is not there. From a user perspective the system has failed.

>From a user perspective this could be very dangerous. Suppose they are uploading files to a document m'ment system. User uploads the file. No indication of any errors. User then deletes the file because it is now stored on the web and therefore is no longer needed.

In the case of a web app I guess the solution to the problem would be to query the database for the data to check if it has inserted correctly to provide report on the insert to the user.

Don't get me wrong, I really like the idea of boundary filtering. In fact I think it is one of the most intelligent security innovations I have heard of for a while. I just see some problems arising when applied to asynchronous systems.

regards
David Cameron
nOw.b2b
dcameron@itis-now.com Received on Wed Feb 12 22:17:10 2003

Do you need help?X

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:48 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library