Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Blake Frantz (blakemc.net)
Date: Thu Jun 13 2002 - 11:11:45 CDT
> I do agree. SQL injection is a hole in the web application layer.
The database server is just an innocent bystander. The fact that >some
database servers are more prone to exploitation than others is the luck
of the draw.
In response to "The database server is just an innocent bystander."
As with any vulnerability it's best to have a layered security model. I
agree the web application provides a front door to an attacker but
limiting factors can be applied beneath the application itself. For
example, creating a database user that follows the 'required privileges
only' model and then using that account to connect to your database. To
elaborate, if your site doesn't have legit reason to alter/insert/update
a table then don't connect with a database user that has those rights.
Granted, if your web application does not verify user supplied input
some SQL injection 'attacks' can happen, but the exposure to greater
risks (adding users, etc.) is reduced. In short, yes the web
application *can* ultimately stop (I dare say) all SQL injection
attacks, but relying completely on the web developer to limit exposure
to such an attack is not entirely 'wise', IMHO.
Blake Frantz MCSE, CCNA
Network Security Analyst
720 Industrial Drive #121
Cary, IL 60013
phn: (847)-594-5111 x5734