SQL Zone is brought to you in partnership with:

John regularly blogs about ColdFusion, JavaScript and other web technologies and contributes to several FOSS projects. His hobbies include writing in the third person. John is a DZone MVB and is not an employee of DZone and has posted 32 posts at DZone. You can read more from them at their website. View Full User Profile

Blocking SQL Injection with htaccess

12.26.2012
| 2734 views |
  • submit to reddit

I've had a recent spate of SQL injection attempts on a site I maintain. The site passes SQL parameters which greatly reduces the risk of a hacker doing anything nasty (look up cfqueryparam if you want to know more); however, the server is still having to process the request and throw an error which has an overhead and also there may be an unprotected query (such as an order by clause) so I've like to add a set of rules to my htaccess file to stop the request at the webserver level (using Apache's mod_rewrite or Helicon's ISAPI_Rewrite on IIS) before it reaches my CFML server.

These are the rules I'm using. I thought I'd share in case it's useful for others and also to ask if anyone has any improvements.

RewriteEngine On

# --------------------------------------------------------------------
# SQL Injection Protection 
# --------------------------------------------------------------------

RewriteRule ^.*EXEC\(@.*$        - [R=404,L,NC]
RewriteRule ^.*CAST\(.*$         - [R=404,L,NC] 
RewriteRule ^.*DECLARE.*$        - [R=404,L,NC]  
RewriteRule ^.*DECLARE%20.*$     - [R=404,L,NC]
RewriteRule ^.*NVARCHAR.*$       - [R=404,L,NC]  
RewriteRule ^.*sp_password.*$    - [R=404,L,NC]
RewriteRule ^.*%20xp_.*$         - [R=404,L,NC]



 

Published at DZone with permission of John Whish, author and DZone MVB. (source)

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)