Hi Stephen: Thanks for your very informative reply. Best regards. -- Sanjai
Stephen Frost wrote:
Sanjai,
* Sanjai Narain (narain@xxxxxxxxxxxxxxxxxxxxxx) wrote:
A lot has been written about validating inputs to avoid SQL injection
attacks. Have there been attempts to mitigate such attacks with
access-control policies, perhaps combining those for SELinux and MySQL?
Thanks for any answers. Best regards. -- Sanjai
I'm not sure how appropriate this if for this list, but, I don't believe
SELinux and/or MySQL will solve SQL injection issues. They may help to
mitigate the results, but the best approach, by far, is to use proper
database prepared queries. By using prepared queries and passing in any
user-supplied data seperately, you completely remove the SQL injection
problem. By using VIEWs and stored procedures you can even simplify the
queries that are done by the application and provide a kind of API
between the application and the database that allows both to change
without requiring a change of the other.
This is a much better solution to any kind of input validation when it
comes to avoiding SQL injection. Of course, proper foreign keys in your
database, proper types, and CHECK constraints, will minimize the
possibility of garbage/invalid data ending up in your database. Having
these database-level checks is really important to maintaining the
integrity of your data. Even if you have such checks in your
application, it often happens that people access the database without
using the application or while bypassing the application checks.
Regarding SQLinux and MySQL specifically- I don't believe MySQL has
SELinux hooks built in or available as a patch (if anyone is aware of
one, I'd be very curious to see it..). The PostgreSQL community is
currently evaluating an SELinux patch (SE-Postgres) to add row-level
security, etc, to the core PostgreSQL distribution. If you're
interested in an open source RDBMS with row-level security and SELinux
hooks, you might start a discussion on the pgsql-general list at
http://www.postgresql.org/community/lists/.
Thanks,
Stephen
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
