Over a million developers have joined DZone.

Blocking SQL Injection with htaccess

· Database Zone

Build fast, scale big with MongoDB Atlas, a hosted service for the leading NoSQL database. Try it now! Brought to you in partnership with MongoDB.

I've had a recent spate of SQL injection attempts on a site I maintain. The site passes SQL parameters which greatly reduces the risk of a hacker doing anything nasty (look up cfqueryparam if you want to know more); however, the server is still having to process the request and throw an error which has an overhead and also there may be an unprotected query (such as an order by clause) so I've like to add a set of rules to my htaccess file to stop the request at the webserver level (using Apache's mod_rewrite or Helicon's ISAPI_Rewrite on IIS) before it reaches my CFML server.

These are the rules I'm using. I thought I'd share in case it's useful for others and also to ask if anyone has any improvements.

RewriteEngine On

# --------------------------------------------------------------------
# SQL Injection Protection 
# --------------------------------------------------------------------

RewriteRule ^.*EXEC\(@.*$        - [R=404,L,NC]
RewriteRule ^.*CAST\(.*$         - [R=404,L,NC] 
RewriteRule ^.*DECLARE.*$        - [R=404,L,NC]  
RewriteRule ^.*DECLARE%20.*$     - [R=404,L,NC]
RewriteRule ^.*NVARCHAR.*$       - [R=404,L,NC]  
RewriteRule ^.*sp_password.*$    - [R=404,L,NC]
RewriteRule ^.*%20xp_.*$         - [R=404,L,NC]



 

Now it's easier than ever to get started with MongoDB, the database that allows startups and enterprises alike to rapidly build planet-scale apps. Introducing MongoDB Atlas, the official hosted service for the database on AWS. Try it now! Brought to you in partnership with MongoDB.

Topics:

Published at DZone with permission of John Whish, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

SEE AN EXAMPLE
Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.
Subscribe

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}