I don't completely. It is very difficult to totally safeguard such an
interface, but I do use an approach which applies a security layer which
will stop fairly unsophisticated attacks, but which is still vulnerable
to a real-time man-in-the-middle.
I do not send SQL, instead have the RPC be a simple metalanguage which
is rigorously parsed so that its functions are limited and controlled.
At the XML parser level the DTD is incorporated and used to validate the
returned data.
Jay Sprenkle wrote:
On 6/15/06, John Stanton <[EMAIL PROTECTED]> wrote:
I have implemented just such a system as an RPC. It accesses an HTTP
server using CGI and returns the table or view requested in XML.
How do you ensure non malicious code is sent to RPC?
--
SqliteImporter and SqliteReplicator: Command line utilities for Sqlite
http://www.reddawn.net/~jsprenkl/Sqlite
Cthulhu Bucks!
http://www.cthulhubucks.com
