CMS Made Simple Forums

Content management as it is meant to be
https://forum.cmsmadesimple.org/

SQL Injection Protection?

https://forum.cmsmadesimple.org/viewtopic.php?t=52732

Page 1 of 1

SQL Injection Protection?

Posted: Sun Mar 13, 2011 5:56 pm
by martin42
Hi,

Just setting up mod_rewrite for my new CMSMS site. "Pretty URLs" - now working OK :-)

As an extra benefit, I wondered if we could get some security protection too? Here's a possible ruleset, amalgamated from various sources...

Code: Select all

# URL Filtering helps stop some hack attempts
#IF the URI contains a "http:\\", "https:\\", "ftp:\\" etc
RewriteCond %{QUERY_STRING} \\\\ [OR]

#OR if the URI contains a "["
RewriteCond %{QUERY_STRING} \[ [OR]

#OR if the URI contains a "]"
RewriteCond %{QUERY_STRING} \] [OR]

#OR if the URI contains a "<__script__>"
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]

# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]

#OR script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [NC,OR]

#OR any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [NC,OR]

#OR if the URI contains a *
RewriteCond %{QUERY_STRING} \*

#OR the URI contains SQL injection type keywords
RewriteCond %{QUERY_STRING} [^a-z](cast|char|convert|declare|delete|drop|exec|insert|meta|script|select|set|source|srs|truncate|union|update)[^a-z] [NC,OR]

#then deny the request (403)
RewriteRule ^.*$ - [F,L]
Most of these rules seem plausible, but I guess the last one could false trigger too easily - unless there's some way to improve it?

I realise that CMSMS is quite mature now, so the developers will be experienced in avoiding SQL injection problems by now. But as an extra safety net, I just wondered whether mod_rewrite could provide some protection against SQL injection, or PHP injection maybe?

One complication is the use of pretty URL's. I don't feel confident that I fully understand the processing sequence involved, but presumably a "pretty URL" will get evaluated twice.

Thanks for any thoughts, or better regular expressions!

- Martin

Re: SQL Injection Protection?

Posted: Tue Mar 22, 2011 8:42 am
by scooper
This is covered in some detail in the the Wiki

http://wiki.cmsmadesimple.org/index.php ... mall_Guide

and also as a sticky topic in this very forum.

Both well worth a read.

s.

Re: SQL Injection Protection?

Posted: Tue Mar 22, 2011 8:56 am
by martin42
Yes - I've been working from the guide, and a few other articles around here.

Your reply has served to remind me to update that Wiki page with a link to
http://forum.cmsmadesimple.org/viewtopi ... n+over+ssl
which documents a quick tweak to config.php that's required to make Admin over SSL work. It's a pity that Admin over SSL isn't supported out of the box, but it's not too hard to make it work.

I guess for the SQL injection protection line, the best thing I can do is try it, and watch out for error 403's. The main problem is whether any of my pages have filenames that include one of the words cast|char|convert|declare|delete|drop|exec|insert|meta|script|select|set|source|srs|truncate|union|update ...

Cheers

- Martin
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited