The idea is simple. You want to detect SQL Injection, when you have full access to the code and a QA team. You need to audit massively complex code that spans several servers and involves validation that may be happening on any of them, or the client in javascript. You want to be able to bypass the javascript validation in whole - but not rewrite any javascript or do anything complicated - because you don't want to retrain any QA people - or even have to teach them what SQL Injection is.
The idea is you put a proxy between the client and the web tier that rewrites requests to be an injection, and run a trace on the database to see if the injection ever makes it into the query. It doesn't work in all c...
The idea is simple. You want to detect SQL Injection, when you have full access to the code and a QA team. You need to audit massively complex code that spans several servers and involves validation that may be happening on any of them, or the client in javascript. You want to be able to bypass the javascript validation in whole - but not rewrite any javascript or do anything complicated - because you don't want to retrain any QA people - or even have to teach them what SQL Injection is.
The idea is you put a proxy between the client and the web tier that rewrites requests to be an injection, and run a trace on the database to see if the injection ever makes it into the query. It doesn't work in all cases, and sometimes there are better approaches - but it's another option, and it has a few advantages. Check out the article for diagrams, code, and some enhancement ideas.