[WEB SECURITY] SQL injection and N tier Architecture

Infosec infosecm at gmail.com
Thu Feb 7 16:16:52 EST 2013


Hi all,

Actually I'm wondering about N-tier in security  point of view.
I was focusing in the application itself and never thought about the architecture.

You answered my question.

Thank you all for cooperation.


Regards,


On Feb 5, 2013, at 5:01 AM, Nahuel Grisolia <nahuel.grisolia at gmail.com> wrote:

> Hey there!
> 
> I believe he's trying to ask the following:
> 
> Why using a 3-tier scheme if with an SQL injection issue the attacker is able to "takeover" the DB, or with a Command injection control the App Server... and/or some kind of vulnerability like the one for Apache you can play with the Web Server infra?
> 
> Maybe he's wondering that... don't really know
> cheers, Nahu.-
> 
> On Feb 4, 2013, at 9:51 PM, Jim Manico <jim at manico.net> wrote:
> 
>> I second that notion.
>> 
>> https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet
>> 
>> - Jim
>> 
>>> You are barking up the wrong tree. SQL injection is a coding issue, tell your devs to use parameterized queries.
>>> 
>>> -phil
>>> @bsdwiz
>>> 
>>> On Feb 4, 2013, at 4:56 PM, Infosec <infosecm at gmail.com> wrote:
>>> 
>>>> Hello,
>>>> 
>>>> I need to know how the different architecture will effect on application security.
>>>> For example:
>>>> 
>>>> A. Web server and Database server
>>>> B. web server , Application server and Database server
>>>> 
>>>> How much the above architectures secure from SQL injection?
>>>> 
>>>> I know multi-tier is more secure, but I need more explination.
>>>> Multi-tier is more secure, but still doesn't prevent SQL injection, isn't?
>>>> 
>>>> 
>>>> Regards,
>>>> _______________________________________________
>>>> The Web Security Mailing List
>>>> 
>>>> WebSecurity RSS Feed
>>>> http://www.webappsec.org/rss/websecurity.rss
>>>> 
>>>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>>> 
>>>> WASC on Twitter
>>>> http://twitter.com/wascupdates
>>>> 
>>>> websecurity at lists.webappsec.org
>>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>> _______________________________________________
>>> The Web Security Mailing List
>>> 
>>> WebSecurity RSS Feed
>>> http://www.webappsec.org/rss/websecurity.rss
>>> 
>>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>> 
>>> WASC on Twitter
>>> http://twitter.com/wascupdates
>>> 
>>> websecurity at lists.webappsec.org
>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>> 
>> 
>> _______________________________________________
>> The Web Security Mailing List
>> 
>> WebSecurity RSS Feed
>> http://www.webappsec.org/rss/websecurity.rss
>> 
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>> 
>> WASC on Twitter
>> http://twitter.com/wascupdates
>> 
>> websecurity at lists.webappsec.org
>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
> 
> 
> _______________________________________________
> The Web Security Mailing List
> 
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> 
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> 
> WASC on Twitter
> http://twitter.com/wascupdates
> 
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org




More information about the websecurity mailing list