View Single Post
Old 21st June 2011
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by CyberJet View Post
So I take it that PF can not inspect the packet and block escape characters contained with the SQL request?
Investigating the packet contents to the level described means that pf(4) would need to knowingly parse SQL. This would be layer 7 (with knowledge of the application...) activity, & I doubt if this will ever be integrated into pf(4) -- if for no other reason, this would significantly & adversely affect performance.
Quote:
So therefore the SQL server has to be totally updated. Would that suffice?
No. A database server is to process the queries it is given. If SQL injection is a concern, the application's logic will have to ensure that it can't be done with whatever (limited) interface is provided to the outside.
Reply With Quote