Put a daily backup on your databases. :)<br><br clear="all">Regards,<br>Joe<br>
<br><br><div class="gmail_quote">On Thu, Apr 21, 2011 at 4:08 AM, Payam Chychi <span dir="ltr"><<a href="mailto:pchychi@gmail.com">pchychi@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div><div></div><div class="h5">Ryan Malayter wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Wed, Apr 20, 2011 at 3:22 PM, Cliff Wells <<a href="mailto:cliff@develix.com" target="_blank">cliff@develix.com</a>> wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Wed, 2011-04-20 at 13:05 -0400, jacppe wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi all. Anybody know how can I block some characters for avoid SQL<br>
Injection using Nginx as web server o HTTP reverse-proxy?<br>
Thanks a lot.<br>
<br>
</blockquote>
You can't really, unless you write a custom module. Rewrite rules won't<br>
help since they don't deal with the POST body. There may be some filter<br>
module I'm unaware of that could do it, but I'd still suggest you don't.<br>
It's much better to simply use software written by moderately capable<br>
developers. SQL-injection is so trivial to avoid at the application<br>
level that it's borderline unforgivable to find it in a modern web app.<br>
<br>
<br>
</blockquote>
<br>
Except when it's that eleventy-hundred-thousand-dollar application you<br>
inherited from a departed CIO, and the vendor releases patches about<br>
once a year, after which you then have to spend hundreds of man-hours<br>
getting them though QA. Usually the app is from a "major enterprise<br>
vendor" which took that departed CIO on a lot of golf trips. Note I am<br>
*not* talking about Microsoft here - they're actually saintly by<br>
comparison.<br>
<br>
Unfortunately, nginx is not an IPS or a Web Application Firewall. Both<br>
categories can usually handle SQL and javascript injection attacks<br>
with a little configuration. But good devices/software in this<br>
category is very spendy. You may be able to block a specific attack<br>
with some form of Regex filter in Apache, but that will be like<br>
playing whack-a-mole, because there are undoubtedly other holes you<br>
need to plug.<br>
<br>
<br>
</blockquote></div></div>
Id recommend looking into <a href="http://www.greensql.net/" target="_blank">http://www.greensql.net/</a> or get layer7 application security provided by radware/juniper<br><font color="#888888">
-Payam</font><div><div></div><div class="h5"><br>
<br>
<br>
_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a><br>
<a href="http://nginx.org/mailman/listinfo/nginx" target="_blank">http://nginx.org/mailman/listinfo/nginx</a><br>
</div></div></blockquote></div><br>