.htacces rules to protect against SQL Injection attacks

.htacces rules to protect against SQL Injection attacks

Posted by Luis Majano
Aug 08, 2008 00:00:00 UTC
Due to the huge spur in SQL injection attacks, Sana Ullah has done some great work on some .htaccess rules to protect against such injections. They have been committed to the ColdBox SVN, but we are also sharing here. Please note that all the rules are for ColdBox SES, so make sure to update accordingly.

RewriteEngine on

#SQL Injection Protection --Read More www.cybercrime.gov

#Please use these rules if below words does not conflict with your friendly-urls. You may modify accordingly

RewriteRule ^.*EXEC\(@.*$ /notfound.htm [L,F,NC]

RewriteRule ^.*CAST\(.*$ /notfound.htm [L,F,NC]

RewriteRule ^.*DECLARE.*$ /notfound.htm [L,F,NC]

RewriteRule ^.*DECLARE%20.*$ /notfound.htm [L,F,NC]

RewriteRule ^.*NVARCHAR.*$ /notfound.htm [L,F,NC]

RewriteRule ^.*sp_password.*$ /notfound.htm [L,F,NC]

RewriteRule ^.*%20xp_.*$ /notfound.htm [L,F,NC]

#Ignore images and this would be last rule --if the condition matched

RewriteRule ^/(.*\.(png|gif|jpg|bmp)) /$1 [L,PT,NC]

#Ignore CSS or JS files and this would be last rule --if the condition matched

RewriteRule ^/(.*\.(css|js)) /$1 [L,PT,NC]

#Ignore txt/doc/pdf/xls files and this would be last rule --if the condition matched

RewriteRule ^/(.*\.(txt|pdf|doc|xls)) /$1 [L,PT,NC]

RewriteRule ^$ index.cfm [QSA]

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule ^(.*)$ index.cfm/%{REQUEST_URI} [QSA,L]

O?uz Demirkap?

Great work! Thanks :)

Mark Mazelin


Great set of rewrite rules! I'm wondering about the rules past the hack attempts. Can you explain why you need to exceptions for images, stylesheets, javascript, misc. files? And why the index.cfm rewrite rule?

Also, it's kinda funny that this blog entry is about hacking and the second comment is comment spam! Ugh...