Thread

  1. Re: [SECURITY] DoS attack on backend possible

    Zeugswetter Andreas DCP SD <zeugswettera@spardat.at> — 2002-08-20T16:14:39Z

    > > with Perl and *using placeholders and bind values*, the application
    > > developer has not to worry about this. So, usually I don't check the
    > > values in my applications (e.g. if only values between 1 and 5 are
    > > allowed and under normal circumstances only these are possible), it's the
    > > task of the database (check constraint). 
    > 
    > That's the idea.  It's the job of the database to guarantee data
    > integrety.
    
    Yes, but what is currently missing is a protocol to the backend
    where a statement is prepared with placeholders and then executed
    (multiple times) with given values. Then there is no doubt what is a
    value, and what a part of the SQL.
    
    I think that this would be a wanted feature of the next
    protocol version. iirc the backend side part is currently beeing 
    implemented.
    
    Andreas
    
    
  2. Re: [SECURITY] DoS attack on backend possible

    Florian Weimer <weimer@cert.uni-stuttgart.de> — 2002-08-20T16:31:28Z

    "Zeugswetter Andreas SB SD" <ZeugswetterA@spardat.at> writes:
    
    > Yes, but what is currently missing is a protocol to the backend
    > where a statement is prepared with placeholders and then executed
    > (multiple times) with given values. Then there is no doubt what is a
    > value, and what a part of the SQL.
    
    This wouldn't have helped in the current case.  The bug is in the
    datetime parser which translates strings to an external
    representation, not in the SQL parser.
    
    -- 
    Florian Weimer 	                  Weimer@CERT.Uni-Stuttgart.DE
    University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
    RUS-CERT                          fax +49-711-685-5898