Quote:
Originally Posted by CyberJet
So I take it that PF can not inspect the packet and block escape characters contained with the SQL request?
|
Investigating the packet contents to the level described means that
pf(4) would need to knowingly parse SQL. This would be layer 7
(with knowledge of the application...) activity, & I doubt if this will ever be integrated into
pf(4) -- if for no other reason, this would significantly & adversely affect performance.
Quote:
So therefore the SQL server has to be totally updated. Would that suffice?
|
No. A database server is to process the queries it is given. If SQL injection is a concern, the application's logic will have to ensure that it can't be done with whatever
(limited) interface is provided to the outside.