Block SQL Injection

Payam Chychi pchychi at gmail.com
Thu Apr 21 01:08:45 MSD 2011


Ryan Malayter wrote:
> On Wed, Apr 20, 2011 at 3:22 PM, Cliff Wells <cliff at develix.com> wrote:
>   
>> On Wed, 2011-04-20 at 13:05 -0400, jacppe wrote:
>>     
>>> Hi all. Anybody know how can I block some characters for avoid SQL
>>> Injection using Nginx as web server o HTTP reverse-proxy?
>>> Thanks a lot.
>>>       
>> You can't really, unless you write a custom module. Rewrite rules won't
>> help since they don't deal with the POST body. There may be some filter
>> module I'm unaware of that could do it, but I'd still suggest you don't.
>> It's much better to simply use software written by moderately capable
>> developers. SQL-injection is so trivial to avoid at the application
>> level that it's borderline unforgivable to find it in a modern web app.
>>
>>     
>
> Except when it's that eleventy-hundred-thousand-dollar application you
> inherited from a departed CIO, and the vendor releases patches about
> once a year, after which you then have to spend hundreds of man-hours
> getting them though QA. Usually the app is from a "major enterprise
> vendor" which took that departed CIO on a lot of golf trips. Note I am
> *not* talking about Microsoft here - they're actually saintly by
> comparison.
>
> Unfortunately, nginx is not an IPS or a Web Application Firewall. Both
> categories can usually handle SQL and javascript injection attacks
> with a little configuration. But good devices/software in this
> category is very spendy. You may be able to block a specific attack
> with some form of Regex filter in Apache, but that will be like
> playing whack-a-mole, because there are undoubtedly other holes you
> need to plug.
>
>   
Id recommend looking into http://www.greensql.net/ or get layer7 
application security provided by radware/juniper
-Payam




More information about the nginx mailing list