This might help to avoid an SQL injection attack, who knows. Now, it is definitely NOT absolute security. It likely won't help you from anything other than some automated probes, and maybe it happens to save you from a particular SQL injection vulnerability. The idea is simply not to allow certain SQL commands in the HTTP request.
Now, this means it should be used selectively. If you use it on a whole site, something may break. Therefore, encapsulate it in Directory/Location tags.
# don't allow a certain SQL command string patterns within the HTTP request # !WARNING: use location or directory tags, probably not good for whole server QS_DenyQueryBody on QS_DenyQuery +s01 deny "(EXEC|SELECT|INSERT|UPDATE|DELETE)"
No comments:
Post a Comment