Forum List Message List New Topic Print View

Joe

April 20, 2011 05:24PM

Put a daily backup on your databases. :)

Regards,
Joe

On Thu, Apr 21, 2011 at 4:08 AM, Payam Chychi <pchychi@gmail.com> wrote:

> Ryan Malayter wrote:
>
>> On Wed, Apr 20, 2011 at 3:22 PM, Cliff Wells <cliff@develix.com> wrote:
>>
>>
>>> On Wed, 2011-04-20 at 13:05 -0400, jacppe wrote:
>>>
>>>
>>>> Hi all. Anybody know how can I block some characters for avoid SQL
>>>> Injection using Nginx as web server o HTTP reverse-proxy?
>>>> Thanks a lot.
>>>>
>>>>
>>> You can't really, unless you write a custom module. Rewrite rules won't
>>> help since they don't deal with the POST body. There may be some filter
>>> module I'm unaware of that could do it, but I'd still suggest you don't.
>>> It's much better to simply use software written by moderately capable
>>> developers. SQL-injection is so trivial to avoid at the application
>>> level that it's borderline unforgivable to find it in a modern web app.
>>>
>>>
>>>
>>
>> Except when it's that eleventy-hundred-thousand-dollar application you
>> inherited from a departed CIO, and the vendor releases patches about
>> once a year, after which you then have to spend hundreds of man-hours
>> getting them though QA. Usually the app is from a "major enterprise
>> vendor" which took that departed CIO on a lot of golf trips. Note I am
>> *not* talking about Microsoft here - they're actually saintly by
>> comparison.
>>
>> Unfortunately, nginx is not an IPS or a Web Application Firewall. Both
>> categories can usually handle SQL and javascript injection attacks
>> with a little configuration. But good devices/software in this
>> category is very spendy. You may be able to block a specific attack
>> with some form of Regex filter in Apache, but that will be like
>> playing whack-a-mole, because there are undoubtedly other holes you
>> need to plug.
>>
>>
>>
> Id recommend looking into http://www.greensql.net/ or get layer7
> application security provided by radware/juniper
> -Payam
>
>
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
Block SQL Injection	jacppe	April 20, 2011 01:05PM
Re: Block SQL Injection	SplitIce	April 20, 2011 01:26PM
Re: Block SQL Injection	Cliff Wells	April 20, 2011 04:24PM
Re: Block SQL Injection	Ryan Malayter	April 20, 2011 04:48PM
Re: Block SQL Injection	unclepieman	April 20, 2011 05:10PM
Re: Block SQL Injection	Joe	April 20, 2011 05:24PM
Re: Block SQL Injection	Cliff Wells	April 20, 2011 06:12PM
Re: Block SQL Injection	unclepieman	April 20, 2011 08:46PM
Re: Block SQL Injection	Cliff Wells	April 20, 2011 09:38PM
Re: Block SQL Injection	unclepieman	April 20, 2011 11:10PM
Re: Block SQL Injection	Cliff Wells	April 20, 2011 11:32PM
Re: Block SQL Injection	edogawaconan	April 20, 2011 11:42PM
Re: Block SQL Injection	Cliff Wells	April 21, 2011 12:00AM
Re: Block SQL Injection	António P. P. Almeida	April 20, 2011 05:44PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 301

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018