RE: [mod-security-users] [Fwd: Re: Mod_Security]
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
RE: [mod-security-users] [Fwd: Re: Mod_Security]
|
From: Eli <eli...@ex...> - 2005-02-08 03:46:01
|
Tommy Burchfield wrote: > This rule kills phpMyAdmin > > # Very crude filters to prevent SQL injection attacks > SecFilter "delete[[:space:]]+from" > SecFilter "insert[[:space:]]+into" > SecFilter "select.+from" >From the headers you showed, it was a GET request which was used - where did you get this in phpMyAdmin? I didn't check extensively, however all I saw were POST uses in the latest 2.6.1. Maybe all that's required is an upgrade? Besides, it's always been my thought that SQL injection is best left to be prevented code side, not webserver side. As you can see, you'll run in to some headaches, not to mention it's a VERY crude hack as you mention. Oh, and "select.+from" is about the worst SQL regex you could imagine :) "I wish to select some fields where I show a drop down list menu thingy from my website" - just matched "select.+from" :P If you search GET only, then not so bad... But if you're filtering POST too, good luck :P Eli. |
