Break Dejector!
Apr. 17th, 2005 01:02 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
maradyddDejector, the anti-SQL-injection-attack tool which I developed based on the ideas outlined in this paper, now has a live proof-of-concept up and running. Try and break it! Tell your friends, get them to try and break it too! Pimp it on IRC, submit it to Slashdot, I don't care. This thing needs stress-testing.
As the page explains, it's using a weird dialect of SQL, but that's not intended to be security through obscurity; I learned bison for this project, so I relied on the SQL89 grammar in the O'Reilly Lex and Yacc book. Consider this a .0001a release; the real one will be a C++ library built on the flex/bison (or, in MySQL's case, handrolled-lexer/bison) definitions from a variety of open-source SQL dialects, with wrappers for Python, PHP and whatever other languages SWIG supports and people care about.
As the page explains, it's using a weird dialect of SQL, but that's not intended to be security through obscurity; I learned bison for this project, so I relied on the SQL89 grammar in the O'Reilly Lex and Yacc book. Consider this a .0001a release; the real one will be a C++ library built on the flex/bison (or, in MySQL's case, handrolled-lexer/bison) definitions from a variety of open-source SQL dialects, with wrappers for Python, PHP and whatever other languages SWIG supports and people care about.