Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Blocking SQL Injection with htaccess

DZone's Guide to

Blocking SQL Injection with htaccess

· Database Zone ·
Free Resource

Built by the engineers behind Netezza and the technology behind Amazon Redshift, AnzoGraph is a native, Massively Parallel Processing (MPP) distributed Graph OLAP (GOLAP) database that executes queries more than 100x faster than other vendors.  

I've had a recent spate of SQL injection attempts on a site I maintain. The site passes SQL parameters which greatly reduces the risk of a hacker doing anything nasty (look up cfqueryparam if you want to know more); however, the server is still having to process the request and throw an error which has an overhead and also there may be an unprotected query (such as an order by clause) so I've like to add a set of rules to my htaccess file to stop the request at the webserver level (using Apache's mod_rewrite or Helicon's ISAPI_Rewrite on IIS) before it reaches my CFML server.

These are the rules I'm using. I thought I'd share in case it's useful for others and also to ask if anyone has any improvements.

RewriteEngine On

# --------------------------------------------------------------------
# SQL Injection Protection 
# --------------------------------------------------------------------

RewriteRule ^.*EXEC\(@.*$        - [R=404,L,NC]
RewriteRule ^.*CAST\(.*$         - [R=404,L,NC] 
RewriteRule ^.*DECLARE.*$        - [R=404,L,NC]  
RewriteRule ^.*DECLARE%20.*$     - [R=404,L,NC]
RewriteRule ^.*NVARCHAR.*$       - [R=404,L,NC]  
RewriteRule ^.*sp_password.*$    - [R=404,L,NC]
RewriteRule ^.*%20xp_.*$         - [R=404,L,NC]



 

Download AnzoGraph now and find out for yourself why it is acknowledged as the most complete all-in-one data warehouse for BI style and graph analytics.  

Topics:

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}