Friday, July 20, 2012

Deter SQL injections with mod_qos?

I updated my previous post about Apache's mos_qos to include one additional example use.

This might help to avoid an SQL injection attack, who knows. Now, it is definitely NOT absolute security. It likely won't help you from anything other than some automated probes, and maybe it happens to save you from a particular SQL injection vulnerability. The idea is simply not to allow certain SQL commands in the HTTP request.

Now, this means it should be used selectively. If you use it on a whole site, something may break. Therefore, encapsulate it in Directory/Location tags.

# don't allow a certain SQL command string patterns within the HTTP request
# !WARNING: use location or directory tags, probably not good for whole server
QS_DenyQueryBody              on
QS_DenyQuery       +s01       deny "(EXEC|SELECT|INSERT|UPDATE|DELETE)"

No comments:

Post a Comment