|jacppe||Apr 20, 2011 10:04 am|
|SplitIce||Apr 20, 2011 10:23 am|
|Cliff Wells||Apr 20, 2011 1:22 pm|
|Ryan Malayter||Apr 20, 2011 1:45 pm|
|Payam Chychi||Apr 20, 2011 2:08 pm|
|Joe||Apr 20, 2011 2:22 pm|
|António P. P. Almeida||Apr 20, 2011 2:42 pm|
|Cliff Wells||Apr 20, 2011 3:09 pm|
|Payam Chychi||Apr 20, 2011 5:43 pm|
|Cliff Wells||Apr 20, 2011 6:35 pm|
|Payam Chychi||Apr 20, 2011 8:07 pm|
|Cliff Wells||Apr 20, 2011 8:31 pm|
|Edho P Arief||Apr 20, 2011 8:40 pm|
|Cliff Wells||Apr 20, 2011 8:58 pm|
|Subject:||Re: Block SQL Injection|
|From:||Payam Chychi (pchy...@gmail.com)|
|Date:||Apr 20, 2011 2:08:14 pm|
Ryan Malayter wrote:
On Wed, Apr 20, 2011 at 3:22 PM, Cliff Wells <cli...@develix.com> wrote:
On Wed, 2011-04-20 at 13:05 -0400, jacppe wrote:
Hi all. Anybody know how can I block some characters for avoid SQL Injection using Nginx as web server o HTTP reverse-proxy? Thanks a lot.
You can't really, unless you write a custom module. Rewrite rules won't help since they don't deal with the POST body. There may be some filter module I'm unaware of that could do it, but I'd still suggest you don't. It's much better to simply use software written by moderately capable developers. SQL-injection is so trivial to avoid at the application level that it's borderline unforgivable to find it in a modern web app.
Except when it's that eleventy-hundred-thousand-dollar application you inherited from a departed CIO, and the vendor releases patches about once a year, after which you then have to spend hundreds of man-hours getting them though QA. Usually the app is from a "major enterprise vendor" which took that departed CIO on a lot of golf trips. Note I am *not* talking about Microsoft here - they're actually saintly by comparison.
Id recommend looking into http://www.greensql.net/ or get layer7 application security provided by radware/juniper -Payam