None-the-less, it still can't prevent the application from doing things it is legitimately allowed to do, and since the web application firewall doesn't know how to tell different types of message board users apart, it cannot attcks which remain within the application itself.

That said, it may use various filters and such to limit these types of attacks, and although that is better then nothing, for the multi-user web application (where users are contained within the app itself) I would not trust this type of solution.

cheers,

catch