Running some quick sql injection tests against a PHP script with a
mysql backend and I noted that the core modsecurity rules did not seem
to be identify injections related to the various mysql comment
syntaxes, eg closing an argument with ' and then adding "-- " or "/*"
as mysql comments.
While I can add my own rules, I was wondering why rules to stop ' --
and ' /* were not included in the core set? I suspect a performance
or high false positives but thought that I would ask.
Jeffrey Savoy, CISSP EnCE
Information Security Officer
University of Wisconsin-Madison