SQL injection attacks can allow hackers to execute arbitrary SQL commands on your database through your website. To avoid these attacks, every piece of data supplied to your web application, either via a web form or via web services, or other means, must be validated to not contain information that is not expected.
GreenSQL is a firewall for SQL - it sits between your Website and your MySQL database server and decides which SQL statements should and should not be executed. GreenSQL is distributed under the GPL license.
Introduction
GreenSQL is a proxy for MySQL databases. Web applications should connect to GreenSQL which will forward legitimate SQL queries to your MySQL database, after running the query through a filter. The result of the query will be returned though GreenSQL, too (it is a proxy). If GreenSQL detects a query that is not whitelisted and that includes suspicious SQL, it will block that query and return an empty result set without contacting the MySQL database.
GreenSQL consists of two components: the proxy server / firewall itself and the management interface. You can see a demo of the management interface at demo.greensql.net.
The proxy server / firewall is written in C/C++ and the management interface in PHP.
Even though GreenSQL hasn't reached the 1.0 status, there are already packages for popular *nix distributions like FreeBSD, Debian, Ubuntu, Fedora and SuSe available. Compiling from has been made much easier now, too - there is a automatic database configuration tool, which makes installation much easier than before
Using GreenSQL
The GreenSQL configuration file allows you to set how risky you think certain things are. For example you can assign a weight to the use of certain keywords. The logic is based on evaluation of SQL commands using a risk scoring matrix as well as blocking known db administrative commands (DROP, CREATE, etc). After a specific block level has been reached, the query will not be forwarded to the MySQL server.
The management interface gives you an overview of queries used to contact your MySQL database. Given those details, it's easy to fine tune the rules. Each time GreenSQL considers a SQL query as a security risk - it is blocked. You can alter this behavior for a specific query by explicitly adding it to the whitelist.
Conclusion
GreenSQL is production-ready, yet. But you should keep an eye on it and give it a try in some of your test project - I think it has a huge potential.
Very interesting. I hadn't heard of GreenSql before. I wonder what the performance hit is like?
Well, I still cannot tell you, as I haven't run a benchmark, yet ...
well, too bad there are no bind variables in mysql, that helps a lot against SQL injection.
This seems akin to deciding that rather than treating people that have contagious diseases, we're just going to cover their mouths when they cough.
I suppose if you're in a position where you have to deploy completely untrusted software and allow it to connect to a database with sensitive information, then maybe something like this makes sense. I'd argue that no one should be in that position, though.