mod_rewrite for mysql injection attacks

I am working with Apache 2.0.49 on a linux box and having trouble getting a rewrite to work. I want to remove all words that are possible problems in the mysql injection attack. The rewrite I am using does not have any errors, just does not work. Does not seem to do anything.

The words are:
declare|char|set|cast|convert|delete|drop|exec|insert|meta|script|select|truncate|update

I have it written like this:

<Directory /usr/var/www/docs/bobie>
AllowOverride All
Options +FollowSymlinks
Options +Indexes

RewriteEngine on
RewriteCond %{QUERY_STRING} [^a-z](declare|char|set|cast|convert|delete|drop|exec|insert|meta|script|select|truncate|update)[^a-z] [NC]
RewriteRule (.*) - [F,L]
</Directory>

Condition is all on one line.

Any help is appreciated.

 

in my personal opinion this is not the right way to stop sql injections
you might us a php function to stop this here is a short article USE ONE YOUR OWN RISK

How SQL Injection is possible?

This is possible through user input ( POST, GET )

With SQL Injection a hacker can retrieve your data, insert, delete, so basicly can do anything with your database.

You need to sanitize input data, before being used in a sql query.
PHP has two functions for mysql that sanitize user input: addslashes( older ) and mysql_real_escape_string( recommended ). This function comes from PHP >= 4.3.0, so you should check first if this function exists. Mysql_real_escape_string prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.
bellow is a customized function I use to sanitize input data before using it into a sql query:

A brief explanation

If get_magic_quotes_gpc function is On, then all the POST,GET,COOKIE data is escaped automatically.
This function was set to On, to protect beginner developers, but from next releases of PHP this function will be Off.
So if get_magic_quotes_gpc is enabled, we need to remove slashes, with stripslashes function, and then apply mysql_real_escape_string or addslashes, the one that is available.
You cannot rely on magic quotes, as it depends on php installation.

how to call this function ?

i hope this can be helpful but please remember USE ON YOUR OWN RISK

 

I have a server with 15 or so mysql applications, some php and some perl, and 2 python. I did figure out the syntax to make the global fix I wanted to work. I will paste it below. The only thing to yet figure out is how to match a whole word only. Example: 'set' in the string (below) will match a query word of 'upset' - I need to match whole word only and have tried several variations and none work yet. Can not find anything on this type of match.

RewriteEngine on
RewriteCond %{QUERY_STRING} .*(declare|char|set|cast|convert|delete|drop|exec|insert|meta|script|select|truncate|update).* [NC]
RewriteRule (.*) - [F,L]

 

alhelalat is right. your way is not the proper way to stop sql injections. Rather use the php function he mentioned in your PHP pages. Unfortunately, Classic ASP does not have such a great function to stop sql injections. I had a hard time fixing the frequent SQL injections in my site that was made in ASP

 

Surrounding each word with a space character will work for spaces but will allow things like tabs and other white space to get through. You may have to add ( |\t|\r|\n) before and after each word.

Oh... and this:

' OR 1=1; --

Code (markup):

will still get through your rewrite rule and that is a valid SQL injection.

The trouble with matching "dangerous" strings like this is that there are so many ways around it. If you forget just one of them then an attacker can get in and do something.

Worse still is the way different programs treat strings. For instance, in PHP, this string is 18 characters long: "/etc/passwd%00.php" but in C it is only 11 characters long. If you try to include() that string it will actually include /etc/passwd because %00 is the URL encoded version of the null character and C uses that character to mark the end of a string. The same thing can happen in your SQL statements with %0D and %0A which are the URL encoded versions of the carriage return and newline characters which can be ignored in SQL statements. If someone inserts one of those in the middle of a keyword then the rewrite rule won't match it but it will still work as an SQL injection.

Besides words, some symbols have special meanings in SQL statements. Percent (%), underscore (_), single-quote (') and dash-dash (--) all have special meanings and shouldn't be allowed in user controlled parts of SQL statements. Your rewrite rule currently doesn't take these into account either.

 

RewriteCond %{QUERY_STRING} .*(declare|char|set|cast|convert|delete|drop|exec|insert|meta|script|select|truncate|update).* [NC]

Code (markup):

Am I correct in saying that this code will also block URLS like:

somebody-said-delete.html

Code (markup):

 

No.

%{QUERY_STRING} refers only to the part after the ? in the URL.

It would block something like this however:

/blog/index.php?blog_title=somebody-said-delete

Code (markup):

which is still pretty bad.

The other two useful Apache variables are %{REQUEST_URI} which is the bit from http:// up to .html and %{THE_REQUEST} which is the whole lot, right from GET or POST up to (I think) HTTP/1.0.

A very handy cheat sheet here: http://www.addedbytes.com/apache/mod_rewrite-cheat-sheet/