I know how to block a single word using query_string in .htaccess. For example.

# Block all the crosssite scripting crap in URIs
RewriteCond %{QUERY_STRING} fromCharCode
RewriteRule ^(.*)$ - [F,L]

I'm wondering if there is a way to block sql queries that show up in urls. Like these that I found in my logs.

2.59.254.136 - - [06/Oct/2023:16:05:29 -0400] "GET /ubbthreads/ubbthreads.php?ubb=showflat%27%29%29%29%2F%2A%2A%2FaNd%2F%2A%2A%2F8301%2F%2A%2A%2FBeTWEEn%2F%2A%2A%2F%28sELEcT%2F%2A%2A%2FaNd%2F%2A%2A%2F%28sELEcT%28CAsE%2F%2A%2A%2FwhEN%2F%2A%2A%2F%288301%3D8301%29%2F%2A%2A%2FthEn%2F%2A%2A%2F8301%2F%2A%2A%2FelSe%2F%2A%2A%2F%28sELEcT%2F%2A%2A%2F1586%2F%2A%2A%2FuniON%2F%2A%2A%2FsELEcT%2F%2A%2A%2F2377%29%2F%2A%2A%2FenD%29%29--%2F%2A%2A%2Fpkgf&Board=1&Number=407581&Searchpage=3&Main=56047&Words=4%20barrel%20carb&topic=0&Search=true HTTP/1.1" 200 3206 "https://www.example.com/ubbthreads/ubbthreads.php" "Opera/9.01 (Windows NT 5.1; U; ru)"
2.59.254.136 - - [06/Oct/2023:16:05:31 -0400] "GET /ubbthreads/ubbthreads.php?ubb=showflat%%27%2F%2A%2A%2FAnd%2F%2A%2A%2F2508%2F%2A%2A%2FbetWEEn%2F%2A%2A%2F%28SELeCt%2F%2A%2A%2FAnd%2F%2A%2A%2F%28SELeCt%28CasE%2F%2A%2A%2FWHEn%2F%2A%2A%2F%282508%3D4408%29%2F%2A%2A%2FtHen%2F%2A%2A%2F2508%2F%2A%2A%2FElsE%2F%2A%2A%2F%28SELeCt%2F%2A%2A%2F4408%2F%2A%2A%2FuniON%2F%2A%2A%2FSELeCt%2F%2A%2A%2F5903%29%2F%2A%2A%2FENd%29%29--%2F%2A%2A%2FBkhs&Board=1&Number=407581&Searchpage=3&Main=56047&Words=4%20barrel%20carb&topic=0&Search=true HTTP/1.1" 200 3203 "https://www.example.com/ubbthreads/ubbthreads.php" "Opera/9.01 (Windows NT 5.1; U; ru)"

Decoded, this looks like this.

2.59.254.136 - - [06/Oct/2023:16:05:29 -0400] "GET /ubbthreads/ubbthreads.php?ubb=showflat')))/**/[b]aNd[/b]/**/8301/**/[b]BeTWEEn[/b]/**/([b]sELEcT[/b]/**/[b]aNd[/b]/**/([b]sELEcT[/b]([b]CAsE[/b]/**/[b]whEN[/b]/**/(8301=8301)/**/[b]thEn[/b]/**/8301/**/[b]elSe[/b]/**/([b]sELEcT[/b]/**/1586/**/[b]uniON[/b]/**/[b]sELEcT[/b]/**/2377)/**/enD))--/**/pkgf&Board=1&Number=407581&Searchpage=3&Main=56047&Words=4 barrel carb&topic=0&Search=true HTTP/1.1" 200 3206 "https://www.example.com/ubbthreads/ubbthreads.php" "Opera/9.01 (Windows NT 5.1; U; ru)"
2.59.254.136 - - [06/Oct/2023:16:05:31 -0400] "GET /ubbthreads/ubbthreads.php?ubb=showflat%'/**/And/**/2508/**/betWEEn/**/(SELeCt/**/And/**/(SELeCt(CasE/**/WHEn/**/(2508=4408)/**/tHen/**/2508/**/ElsE/**/(SELeCt/**/4408/**/uniON/**/SELeCt/**/5903)/**/ENd))--/**/Bkhs&Board=1&Number=407581&Searchpage=3&Main=56047&Words=4 barrel carb&topic=0&Search=true HTTP/1.1" 200 3203 "https://www.example.com/ubbthreads/ubbthreads.php" "Opera/9.01 (Windows NT 5.1; U; ru)"

When you see select, case, union in a url, you know it's something nefarious. I can't block on only select, because that would catch legitimate urls that have selected or selection, etc. in them.

So, my question is, is there a way, using RewriteCond to match on multiple and only on multiple strings? I guess what I'm asking is can you AND RewriteCond such that if a url contains select AND else AND then or select AND union AND case, then the url would be blocked?

Update: Never mind. After reading the documentation more carefully, I realize that RewriteCond is ANDED by default. (If I'm incorrect, let me know.)

[edited by: not2easy at 6:37 pm (utc) on Oct 7, 2023]
[edit reason] reminder: please use example.com [/edit]