.htaccess block mysql queries in url

2023-03-08 07:48 问答作者：

I need to write a rule that blocks a mysql query.. like

RewriteCond %{QUERY_STRING} UNION [OR]

but was thinking of something like

RewriteCond %{QUERY_STRING} SELECT (.*?) FROM [OR]

so that one couldn't every r开发者_JAVA技巧un a query from the url.. ideas?

Thanks.. cheers -Jeremy

Here is the anwser... So based on this..

The Data Manipulation Language (DML) and the Data Definition Language (DDL).

The query and update commands form the DML part of SQL: •SELECT - extracts data from a database •UPDATE - updates data in a database •DELETE - deletes data from a database •INSERT INTO - inserts new data into a database

The DDL part of SQL permits database tables to be created or deleted. It also define indexes (keys), specify links between tables, and impose constraints between tables. The most important DDL statements in SQL are: •CREATE DATABASE - creates a new database •ALTER DATABASE - modifies a database •CREATE TABLE - creates a new table •ALTER TABLE - modifies a table •DROP TABLE - deletes a table •CREATE INDEX - creates an index (search key) •DROP INDEX - deletes an index

So, I'm thinking this covers 99% and it's one rule ..

    RewriteCond %{QUERY_STRING} .*
    ( 
        (%73|%53|s)(%65|%45|e)(%6C|%4C|l)(%65|%45|e)(%63|%43|c)(%74|%54|t)              #SELECT
      | (%69|%49|i)(%6E|%4E|n)(%73|%53|s)(%65|%45|e)(%72|%52|r)(%74|%54|t)              #INSERT
      | (%44|%64|d)(%65|%45|e)(%6C|%4C|l)(%65|%45|e)(%74|%54|t)(%65|%45|e)              #DELETE
      | (%44|%64|d)(%72|%52|r)(%4F|%6F|o)(%70|%50|p)                        #DROP
      | (%55|%75|u)(%70|%50|p)(%44|%64|d)(%41|%61|a)(%74|%54|t)(%65|%45|e)              #UPDATE
      | (%41|%61|a)(%6C|%4C|l)(%74|%54|t)(%65|%45|e)(%72|%52|r)                 #ALTER
      | (%41|%61|a)(%44|%64|d)(%44|%64|d)                               #ADD
      | (%4A|%6A|j)(%4F|%6F|o)(%69|%49|i)(%6E|%4E|n)                        #JOIN
      | (%63|%43|c)(%72|%52|r)(%65|%45|e)(%41|%61|a)(%74|%54|t)(%65|%45|e)              #CREATE
    )

    .*
    (
        (%74|%54|t)(%41|%61|a)(%42|%62|b)(%6C|%4C|l)(%65|%45|e)                     #TABLE
      | (%46|%66|f)(%72|%52|r)(%4F|%6F|o)(%4D|%6D|m)                        #FROM
      | (%69|%49|i)(%6E|%4E|n)(%74|%54|t)(%4F|%6F|o)                        #INTO
      | (%73|%53|s)(%65|%45|e)(%74|%54|t)                               #SET
      | (%63|%43|c)(%4F|%6F|o)(%6C|%4C|l)(%55|%75|u)(%4D|%6D|m)(%6E|%4E|n)              #COLUMN
      | (%69|%49|i)(%6E|%4E|n)(%44|%64|d)(%58|%78|e)(%72|%52|x)                 #INDEX
      | (%56|%76|v)(%69|%49|i)(%58|%78|e)(%57|%77|w)                        #VIEW
      | (%55|%75|u)(%6E|%4E|n)(%69|%49|i)(%4F|%6F|o)(%6E|%4E|n)                 #UNION 
      | (%44|%64|d)(%41|%61|a)(%74|%54|t)(%41|%61|a)(%42|%62|b)(%41|%61|a)(%73|%53|s)(%65|%45|e)    #DATABASE
    )
    .*
    (
        (%57|%77|w)(%48|%68|h)(%65|%45|e)(%72|%52|r)(%65|%45|e)                     #WHERE
      | (%4F|%6F|o)(%6E|%4E|n)                                  #ON
      | (%41|%61|a)(%6C|%4C|l)(%6C|%4C|l)                               #ALL
      | (.*)                                            #  ##Blank so move on 
    )
    .* [NC,OR]

it was tested as

    RewriteCond %{QUERY_STRING} .*((%73|%53|s)(%65|%45|e)(%6C|%4C|l)(%65|%45|e)(%63|%43|c)(%74|%54|t)|(%69|%49|i)(%6E|%4E|n)(%73|%53|s)(%65|%45|e)(%72|%52|r)(%74|%54|t)|(%44|%64|d)(%65|%45|e)(%6C|%4C|l)(%65|%45|e)(%74|%54|t)(%65|%45|e)|(%44|%64|d)(%72|%52|r)(%4F|%6F|o)(%70|%50|p)|(%55|%75|u)(%70|%50|p)(%44|%64|d)(%41|%61|a)(%74|%54|t)(%65|%45|e)|(%41|%61|a)(%6C|%4C|l)(%74|%54|t)(%65|%45|e)(%72|%52|r)|(%41|%61|a)(%44|%64|d)(%44|%64|d)|(%4A|%6A|j)(%4F|%6F|o)(%69|%49|i)(%6E|%4E|n)|(%63|%43|c)(%72|%52|r)(%65|%45|e)(%41|%61|a)(%74|%54|t)(%65|%45|e)).*((%74|%54|t)(%41|%61|a)(%42|%62|b)(%6C|%4C|l)(%65|%45|e)|(%46|%66|f)(%72|%52|r)(%4F|%6F|o)(%4D|%6D|m)|(%69|%49|i)(%6E|%4E|n)(%74|%54|t)(%4F|%6F|o)|(%73|%53|s)(%65|%45|e)(%74|%54|t)|(%63|%43|c)(%4F|%6F|o)(%6C|%4C|l)(%55|%75|u)(%4D|%6D|m)(%6E|%4E|n)|(%69|%49|i)(%6E|%4E|n)(%44|%64|d)(%58|%78|e)(%72|%52|x)|(%56|%76|v)(%69|%49|i)(%58|%78|e)(%57|%77|w)|(%55|%75|u)(%6E|%4E|n)(%69|%49|i)(%4F|%6F|o)(%6E|%4E|n)|(%44|%64|d)(%41|%61|a)(%74|%54|t)(%41|%61|a)(%42|%62|b)(%41|%61|a)(%73|%53|s)(%65|%45|e)).*((%57|%77|w)(%48|%68|h)(%65|%45|e)(%72|%52|r)(%65|%45|e)|(%4F|%6F|o)(%6E|%4E|n)|(%41|%61|a)(%6C|%4C|l)(%6C|%4C|l)|(.*)).* [NC,OR]

with

    http://www.domain.tdl/index.php?mact=jobs,dt,default,0&dtcategory=1%5C,)%23&dtsortby=1%0D%0AUN%69ON%20S%45LECT%201,2,3,4,5,CONCAT_WS(0x203a20,%20username,%20password),7,8,9,10,11,12,13,14,15,16,17,18,19,20%20%46ROM%20tec_users--

note tests for

S%45LECT UN%69ON

Also I tested on the server and saw no visable delay, but I'd love to see number put to it as it's one rule and I agree with the need to keep things light and tight.

etc.. Now if any one has a better rule that would be the chalange here.

继续阅读：.htaccess

.htaccess block mysql queries in url

更多精彩内容

精彩评论

最新问答

央视是哪个频道？

请问买过的朋友，舒提啦旅行箱实际使用体验如何？？

检查不孕不育需要的费用？

海信ULED电视画质有什么不同的地方?？

钉子可以挂的住画框幕布吗？

问答排行榜

王昌瑞《潜梦追凶》剧组庆生新锐演员未来可期？

Is it allowed to ask users to enter credit card details for own payment method?

Escaping "<" in Perl-generated XML

imessage会显示已读吗？

微信重新建群怎么建？