In a SQL database application, what are the two types of interfaces that need protection?
Two: the application-specific interface (user → application) and the general SQL interface (application → database) — and each needs a different defence.
* Two interfaces, two defences — the app-specific interface validates business data; the general SQL interface is where you parameterize queries. *
The point of separating them is that one tool doesn't cover both. User input is validated against business rules at the first interface; but even validated data can still be dangerous at the SQL interface, so there you switch tools entirely to parameterized queries — which keep data and SQL code in separate channels so input can't become a command:
Interface breakdown:
| Interface | From | To | Protection Needed |
|---|---|---|---|
| Application-specific | User | Application | Input validation for user data |
| SQL Interface | Application | Database | Parameterized queries, SQL escaping |
SQL Subset example:
- Application accepts user data
- Converts to SQL-Subset language
- SQL-Subset passed to database
- Database interprets SQL
Risk: If user data is concatenated directly into SQL without proper handling, SQL injection occurs.