[TYPO3-dev] Improvement against SQL injections
ries van Twisk
typo3 at rvt.dds.nl
Sat Jun 16 15:16:23 CEST 2007
On Jun 16, 2007, at 3:40 AM, Martin Kutschker wrote:
> ries van Twisk schrieb:
>> Since we have DBAL in place,
>>
>> why not parse all SQl statements and deny insert/delete/updates to
>> tables using a rule set similar to ACL's.
>
> And say goodby to perfomance? Use the ACL of the DB to do this.
Agreed,
there are methods to speed this up though...
Like we both said in a other mail, use two DB users can help a lot
compromising important tables.
Ries
>
> Masi
>
>> I am always against giving extension direct DB access (in any system)
>> and I strongly believe there should be a proper DB API.
>
> DBs have ACLs and VIEWs to releive the application of some of this
> burden.
Yup... for from easy I agree
>
>> Appart from that:
>> With a proper DB API you can also setup a ACL on a DB level.
>
> But once this is broken by the attacker he has gained full access
> again.
That is true with all security systems...
I was just thinking out loud...
>
> Masi
> _______________________________________________
> TYPO3-dev mailing list
> TYPO3-dev at lists.netfielders.de
> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-dev
More information about the TYPO3-dev
mailing list