Re: [Info-ingres] RES: [Info-ingres] RES: [Info-ingres] SQL Injection attacks
- From: Michael Leo <mleo@xxxxxxxxxxxxxxx>
- Date: Mon, 12 Jun 2006 19:19:36 -0500
Emiliano wrote:
Leandro Pinto Fava wrote:Emile,
In our case the problems were in the application layer.HTML injection?
No, when I said application layer, I wanted to say the problem was not
in database server.
SQL injection attacks are *always* in the application layer. The database server is never culpable; SQL injection attacks are the situations where the DB server does as it's told correctly, but is presented with a query which is not as intended by the app programmers. It's a logical failure, not a technical failure.
Emile
I'd almost agree if it weren't for stored procedures. I'm not sure if
I could manage a SQL injection attack with Ingres' limited stored procedure
language, but Oracle certainly has experienced a number of attack vectors
vi PL/SQL packages.
Whether or not that is considered "the database" is another matter.
Cheers,
Mike Leo
begin:vcard
fn:Michael Leo
n:Leo;Michael
org:Caribou Lake LLC
adr:Suite 100;;8401 Golden Valley Drive;Minneapolis;MN;55427;United States
email;internet:mleo@xxxxxxxxxxxxxxx
x-mozilla-html:FALSE
url:http://www.cariboulake.com
version:2.1
end:vcard
- Follow-Ups:
- References:
- [Info-ingres] RES: [Info-ingres] RES: [Info-ingres] SQL Injection attacks
- From: Leandro Pinto Fava
- Re: [Info-ingres] RES: [Info-ingres] RES: [Info-ingres] SQL Injection attacks
- From: Emiliano
- [Info-ingres] RES: [Info-ingres] RES: [Info-ingres] SQL Injection attacks
- Prev by Date: Re: [Info-ingres] RES: [Info-ingres] RES: [Info-ingres] SQL Injection attacks
- Next by Date: [Info-ingres] Huge copy out/in
- Previous by thread: Re: [Info-ingres] RES: [Info-ingres] RES: [Info-ingres] SQL Injection attacks
- Next by thread: Re: [Info-ingres] RES: [Info-ingres] RES: [Info-ingres] SQL Injection attacks
- Index(es):
Relevant Pages
|
