RewriteRules for SQL Injection attacks

Forum Moderators: phranque

Message Too Old, No Replies

RewriteRules for SQL Injection attacks

ryanrbftp

5:33 am on Oct 9, 2009 (gmt 0)

I was unable to reply to topic because it's too old... apparently.

Following up on jdMorgan's post at:
[webmasterworld.com...]

He posted the code:

RewriteCond %{QUERY_STRING} [^a-z](declare¦char¦set¦cast¦convert¦delete¦drop¦exec¦insert¦meta¦script¦select¦truncate¦update)[^a-z] [NC]
RewriteRule (.*) - [F]

Would this also block URLs such as:

index.php?name=delete
exec.php

etc...?

jdMorgan

1:15 pm on Oct 9, 2009 (gmt 0)

Yes, the "[^a-z]" subpattern matches "=", "delete" is matched by one of the ORed words, and the space after "delete" is matched by the trailing "[^a-z]". Those "[^a-z]" sub-patterns essentially serve as 'soft anchors' so that query strings like "donotdelete" are not matched.

Also note that the [NC] flag makes the string comparison case-insensitive.

It's impossible to recommend a perfect coded solution for every site, and these attacks may have changed in the year since that old thread was posted. You should think about what the code means in relation to your site, your URLs, your query strings, and the 'attacks' that you are seeing, and adapt the code as needed.

Jim

g1smd

3:45 pm on Oct 9, 2009 (gmt 0)

Having been a user of a similar rule to the one posted above for a long time, the way I avoided problems was by using carefully chosen URL parameter names and values that did NOT match the name of any PHP or mySQL instruction.