You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2010-03-02 02:18:45
- MattF
- Member
- From: South Yorkshire, England
- Registered: 2008-05-06
- Posts: 1,230
- Website
Database firewall
Just came across this whilst I was looking for something totally unrelated, 
but thought I'd pop the link up incase it was of use to anyone.
Screw the chavs and God save the Queen!
Offline
#2 2010-03-06 03:29:54
- Smartys
- Former Developer
- Registered: 2008-04-27
- Posts: 3,117
- Website
Re: Database firewall
If you really think you need something like this, you're better off just writing proper stored procedures and letting the database handle the security aspects. No need to stick a proxy server in front of it.
Their heuristics won't stop every SQL injection (and will match a fair number of valid queries):
* Access to sensitive tables (users, accounts, credit information)
* Comments inside SQL commands
* An empty password string
* An ‘or’ token inside a query
* An SQL expression that always returns true (SQL tautology)
The key is that they have you run it in "learning mode" and then set it up to reject any queries that aren't explicitly whitelisted. Those heuristics are irrelevant in their primary use-case. It's definitely an interesting idea, but I can't see this being run on any serious site: any site where people are really that afraid of SQL injections could benefit more greatly from the use of stored procedures / prepared queries.
Offline
#3 2010-03-06 11:15:57
- MattF
- Member
- From: South Yorkshire, England
- Registered: 2008-05-06
- Posts: 1,230
- Website
Re: Database firewall
I'll admit to not having checked through it thoroughly. I just try to post any links which may possibly be of use before I forget about them, these days.
Edit: Just on the prepared queries note, does anyone know why the pg_ functions in PHP have a far better selection of commands than the other database types? Is it due to limitations of the other DB interfaces or merely that no-one has created the corresponding functions for those PHP DB interfaces yet? Just a curiosity question. For example, pg_prepare, pg_query_params etc. Just wondered if that was liable to change in future, or as to whether using the PDO layer or suchlike was the only way to have consistency of available functions.
http://uk2.php.net/manual/en/ref.pgsql.php
http://uk2.php.net/manual/en/ref.mysql.php
Last edited by MattF (2010-03-06 11:23:57)
Screw the chavs and God save the Queen!
Offline
#4 2010-03-06 12:28:31
- Smartys
- Former Developer
- Registered: 2008-04-27
- Posts: 3,117
- Website
Re: Database firewall
http://php.net/manual/en/mysqli.prepare.php
mysql is not the "modern" MySQL extension.
Offline
#5 2010-03-14 22:40:21
- MattF
- Member
- From: South Yorkshire, England
- Registered: 2008-05-06
- Posts: 1,230
- Website
Re: Database firewall
Cheers. I'd just assumed the MySQLi extension was for that flatfile? variant. I hadn't realised it was the main one now.
Screw the chavs and God save the Queen!
Offline
Pages: 1