14 messages in ru.sysoev.nginxRe: Block SQL Injection| From | Sent On | Attachments |
|---|---|---|
| jacppe | Apr 20, 2011 10:04 am | |
| SplitIce | Apr 20, 2011 10:23 am | |
| Cliff Wells | Apr 20, 2011 1:22 pm | |
| Ryan Malayter | Apr 20, 2011 1:45 pm | |
| Payam Chychi | Apr 20, 2011 2:08 pm | |
| Joe | Apr 20, 2011 2:22 pm | |
| António P. P. Almeida | Apr 20, 2011 2:42 pm | |
| Cliff Wells | Apr 20, 2011 3:09 pm | |
| Payam Chychi | Apr 20, 2011 5:43 pm | |
| Cliff Wells | Apr 20, 2011 6:35 pm | |
| Payam Chychi | Apr 20, 2011 8:07 pm | |
| Cliff Wells | Apr 20, 2011 8:31 pm | |
| Edho P Arief | Apr 20, 2011 8:40 pm | |
| Cliff Wells | Apr 20, 2011 8:58 pm |
| Subject: | Re: Block SQL Injection | |
|---|---|---|
| From: | Payam Chychi (pchy...@gmail.com) | |
| Date: | Apr 20, 2011 2:08:14 pm | |
| List: | ru.sysoev.nginx | |
Ryan Malayter wrote:
On Wed, Apr 20, 2011 at 3:22 PM, Cliff Wells <cli...@develix.com> wrote:
On Wed, 2011-04-20 at 13:05 -0400, jacppe wrote:
Hi all. Anybody know how can I block some characters for avoid SQL Injection using Nginx as web server o HTTP reverse-proxy? Thanks a lot.
You can't really, unless you write a custom module. Rewrite rules won't help since they don't deal with the POST body. There may be some filter module I'm unaware of that could do it, but I'd still suggest you don't. It's much better to simply use software written by moderately capable developers. SQL-injection is so trivial to avoid at the application level that it's borderline unforgivable to find it in a modern web app.
Except when it's that eleventy-hundred-thousand-dollar application you inherited from a departed CIO, and the vendor releases patches about once a year, after which you then have to spend hundreds of man-hours getting them though QA. Usually the app is from a "major enterprise vendor" which took that departed CIO on a lot of golf trips. Note I am *not* talking about Microsoft here - they're actually saintly by comparison.
Unfortunately, nginx is not an IPS or a Web Application Firewall. Both categories can usually handle SQL and javascript injection attacks with a little configuration. But good devices/software in this category is very spendy. You may be able to block a specific attack with some form of Regex filter in Apache, but that will be like playing whack-a-mole, because there are undoubtedly other holes you need to plug.
Id recommend looking into http://www.greensql.net/ or get layer7 application security provided by radware/juniper -Payam
_______________________________________________ nginx mailing list ngi...@nginx.org http://nginx.org/mailman/listinfo/nginx