I've got involved in a "B2B" project late in the project. The customer generates an order in BizTalk XML, POSTs it to us and it is handled by the SAP Biztalk Connector (BC), and then goes into the live production SAP system.

Perl got involved in this as it recieves the external POST verifies that it's XML, logs things, and sends a response to the client. It then does the actual POST to the SAP BC system, instead of a direct customer POST to BC.

After several posts to the Monsatry, and some very useful tips back we now have a functioning system. Many thanks in arrears...

Ovid's recent (OT) Security Rant has made me fearful. I didn't design the system, but as we found out in testing already, the SAP BC system is quite fragile, and I don't want someone placing an XML file (deliberatly or accidentally) into the system that will break the underlying DB.

Last time I looked there wasn't a stable Perl XML validator, plus if the XML isn't valid BC will reject it, my really worry is with a valid XML file that gets imported sucessfully into the DB and breaks the underlying SAP system.

If I run the XML file though a "de-tainting like" process, only letting through letters, numbers, and enough symbols to maintain valid XML, is this safe enough or is it still possible to comprimise the the DB?

Many thanks in advance for any comments. I know you can't be 100% secure, but I'd like to think we are as secure as is sensible.

It's probably just me being paranoid, but no one else at work seems to be as worried about security as I am.....

In reply to How to protect backend DB from hacks or accidents by ajt

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.