GreenSQLOpenSource is becoming a popular product. We have received a number of inquiries from our users asking about the database firewall performance. In addition, in the new version, we have incorporated numerous optimization patches. In order to get a feel of the gap, we decided to conduct several performance tests and publish their results.

As you probably know, GreenSQLOpenSource works as an SQL proxy. As a result, the system adds additional layer to your existing application infrastructure. In addition, from the network point of view, GreenSQLOpenSource db firewall creates another network socket when connecting to the genuine MySQL server. All this adds some overhead.

We have tested the system using the speedy configuration. Application logs were disabled. In addition, we have build a list of allowed SQL patterns so the system was running in the firewall mode. As a a

  [Read more...]

MySQL Database is a great product used by thousand of websites. Various web applications use MySQL as their default database. Some of these applications are written with security in mind, and some are not. In this article, I would like to show you how you can exploit SQL injection in order to gain almost full control over your webserver.

Most people know that SQL injection allows attackers to retrieve database records, pass login screens, change database content, through the creation of new administrative users. MySQL does not have a built-in command to execute shell commands, like Microsoft SQL server. I will show you how to run arbitrary commands using standard features provided by MySQL.

First of all, I would like to give a brief description of SQL injection, then I would like to present you with a couple less known methods that exist in MySQL, which

  [Read more...]

After almost eight months of waiting, I am finally allowed to publish my thesis paper:Design and Implementation of a Workflow Engine
This thesis discusses the design and implementation of a software component that faciliates the specification, management, and execution of so-called workflows. The discussion of this component's design includes the semantics and syntax of the underlying workflow model as well as the actual software design. The former builds upon the Workflow Patterns [BK03] terminology, the latter on the concepts of a Workflow Virtual Machine [SF04] and the idea that a workflow system should be comprised of loosely coupled components [DAM01, DG95, PM99].The thesis paper is published under the Creative Commons Attribution 2.0 Germany license, the software that has been developed as part of this thesis has been released under the
  [Read more...]

I am happy to announce that the SQL Injection chapter from my book, Guide to PHP Security has been published on MySQL's developer zone. You can find this chapter here.