Welcome! Log In Create A New Profile

Advanced

Re: Block SQL Injection

Ryan Malayter
April 20, 2011 04:48PM
On Wed, Apr 20, 2011 at 3:22 PM, Cliff Wells <cliff@develix.com> wrote:
> On Wed, 2011-04-20 at 13:05 -0400, jacppe wrote:
>> Hi all. Anybody know how can I block some characters for avoid SQL
>> Injection using Nginx as web server o HTTP reverse-proxy?
>> Thanks a lot.
>
> You can't really, unless you write a custom module. Rewrite rules won't
> help since they don't deal with the POST body. There may be some filter
> module I'm unaware of that could do it, but I'd still suggest you don't.
> It's much better to simply use software written by moderately capable
> developers. SQL-injection is so trivial to avoid at the application
> level that it's borderline unforgivable to find it in a modern web app.
>

Except when it's that eleventy-hundred-thousand-dollar application you
inherited from a departed CIO, and the vendor releases patches about
once a year, after which you then have to spend hundreds of man-hours
getting them though QA. Usually the app is from a "major enterprise
vendor" which took that departed CIO on a lot of golf trips. Note I am
*not* talking about Microsoft here - they're actually saintly by
comparison.

Unfortunately, nginx is not an IPS or a Web Application Firewall. Both
categories can usually handle SQL and javascript injection attacks
with a little configuration. But good devices/software in this
category is very spendy. You may be able to block a specific attack
with some form of Regex filter in Apache, but that will be like
playing whack-a-mole, because there are undoubtedly other holes you
need to plug.

--
RPM

_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
Subject Author Posted

Block SQL Injection

jacppe April 20, 2011 01:05PM

Re: Block SQL Injection

SplitIce April 20, 2011 01:26PM

Re: Block SQL Injection

Cliff Wells April 20, 2011 04:24PM

Re: Block SQL Injection

Ryan Malayter April 20, 2011 04:48PM

Re: Block SQL Injection

unclepieman April 20, 2011 05:10PM

Re: Block SQL Injection

Joe April 20, 2011 05:24PM

Re: Block SQL Injection

Cliff Wells April 20, 2011 06:12PM

Re: Block SQL Injection

unclepieman April 20, 2011 08:46PM

Re: Block SQL Injection

Cliff Wells April 20, 2011 09:38PM

Re: Block SQL Injection

unclepieman April 20, 2011 11:10PM

Re: Block SQL Injection

Cliff Wells April 20, 2011 11:32PM

Re: Block SQL Injection

edogawaconan April 20, 2011 11:42PM

Re: Block SQL Injection

Cliff Wells April 21, 2011 12:00AM

Re: Block SQL Injection

António P. P. Almeida April 20, 2011 05:44PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 111
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready