Tommy Burchfield wrote:
> This rule kills phpMyAdmin
>
> # Very crude filters to prevent SQL injection attacks
> SecFilter "delete[[:space:]]+from"
> SecFilter "insert[[:space:]]+into"
> SecFilter "select.+from"
>From the headers you showed, it was a GET request which was used - where did
you get this in phpMyAdmin? I didn't check extensively, however all I saw
were POST uses in the latest 2.6.1. Maybe all that's required is an
upgrade?
Besides, it's always been my thought that SQL injection is best left to be
prevented code side, not webserver side. As you can see, you'll run in to
some headaches, not to mention it's a VERY crude hack as you mention.
Oh, and "select.+from" is about the worst SQL regex you could imagine :)
"I wish to select some fields where I show a drop down list menu thingy from
my website" - just matched "select.+from" :P If you search GET only, then
not so bad... But if you're filtering POST too, good luck :P
Eli.
|
