security - What are the dangers of blocking SQL injections in .htaccess? -


i've been looking sure defences on wordpress site. unsurprisingly there huge amount of documentation on subject. 2 of better guides seem here:

http://moz.com/blog/the-definitive-guide-to-wordpress-security

and obviously: http://codex.wordpress.org/hardening_wordpress

i'd harden defences sql injection, previous site fell victim such attack , proved impossible clean again.

judging comments posted on many other sites , similar guides there seems many people disagreeing every way achieve there swearing it.

i thinking adding below (found on first mentioned site) site seems talk the dangers of doing such action beyond obvious dangers of editing .htaccess file.

what functionality expect loose or compromise adding this, and, if none why isn't kind of code included in basic wordpress install? if there no harm adding kind of thing why doesn't every install include , allow developers know they're doing remove if necessary??

    ## sql injection block ## <ifmodule mod_rewrite.c> rewritebase / rewritecond %{request_method} ^(head|trace|delete|track) [nc] rewriterule ^(.*)$ - [f,l] rewritecond %{query_string} \.\.\/ [nc,or] rewritecond %{query_string} boot\.ini [nc,or] rewritecond %{query_string} tag\= [nc,or] rewritecond %{query_string} ftp\:  [nc,or] rewritecond %{query_string} http\:  [nc,or] rewritecond %{query_string} https\:  [nc,or] rewritecond %{query_string} (\|%3e) [nc,or] rewritecond %{query_string} mosconfig_[a-za-z_]{1,21}(=|%3d) [nc,or] rewritecond %{query_string} base64_encode.*\(.*\) [nc,or] rewritecond %{query_string} ^.*(\[|\]|\(|\)||ê|"|;|\?|\*|=$).* [nc,or] rewritecond %{query_string} ^.*("|'|<|>|\|{||).* [nc,or] rewritecond %{query_string} ^.*(%24&x).* [nc,or] rewritecond %{query_string} ^.*(%0|%a|%b|%c|%d|%e|%f|127\.0).* [nc,or] rewritecond %{query_string} ^.*(globals|encode|localhost|loopback).* [nc,or] rewritecond %{query_string} ^.*(request|select|insert|union|declare).* [nc] rewritecond %{http_cookie} !^.*wordpress_logged_in_.*$ rewriterule ^(.*)$ - [f,l] </ifmodule>

given limited sql knowledge i'm worried breaking database search functions such url based queries (for example in wp-admin users.php?s=rachel&action=-1&new_role&paged=1&action2=-1

in nutshell:

  • my main question dangers of limiting sql injection in .htaccess ie wordpress, functions or plugins rely on being able change database through such actions. have custom theme , use custom php on quite few pages use known wordpress functions add data , never write direct sql queries or edits.

and

  • will stop attacks used in kind of instance "how can prevent sql injection in php?" (ie. save reading -- modifying form inject sql database, when have coded kind of post.)

    if (isset($_post['dropdownmenu'])) { update_post_meta($postid , 'meta_value' , $thedropdownvalue );

this not useful, following reasons:

  1. it impossible define rules catch every possible injection. still need proper defenses in application code (i.e. bound parameters) in order secure. if code secured, url filtering unnecessary.

  2. this filters url. sql injections come through post variables. above, need defenses in application code defend against that.

  3. there significant probability rules broad block legitimate traffic (for example, /article.php?title=us-declares-war blocked 1 of given rules).


Comments

Post a Comment

Popular posts from this blog

javascript - RequestAnimationFrame not working when exiting fullscreen switching space on Safari -

request animation frame stops working when exiting fullscreen clicking on original space's safari window. fine if fullscreen mode canceled escape key or calling cancelfullscreen(). steps reproduce: open https://dl.dropboxusercontent.com/u/769042/prezi/safari-fullscreen.html click "draw raf", kittie appears click "fullscreen", go fullscreen click "draw raf", kittie appears go space original safari was, showing "click exit fullscreen mode", click anywhere, out fullscreen click "draw raf", nothing happens what handling click calling: window.requestanimationframe(draw); which draws on canvas context: function draw() { ctx.drawimage(img, math.random()*500|0, math.random()*400|0, 100, 100); } i checked .hidden , .visibilitystate, updated correctly. tested on osx 10.9.3, safari 7.0.4 (9537.76.4). has workaround/solution other switching old settimeout? this sounds webkit bug 88940 : using reque
Read more

Python ctypes access violation with const pointer arguments -

i have api i'm trying wrap in python (2.7.6 on win7) code using ctypes. here's api: client_dllfunc bool clientapi search_exporttoclipcopy(clienthsearch handle, int channel, lpctstr filename, const time_t& from, const time_t& to, const bool* cameras, int length, bool usepassword, lpctstr password, bool includetextin = false, bool excludeplayer = false); the issue i'm having cameras argument; , i've had issue other const pointer arguments well. here's how i'm wrapping api: def search_exporttoclipcopy(self, hsearch, csearch, filename, tfrom, tto, cameras, length, usepassword, password, includetextin=true, excludeplayer=false): exporttoclipcopy = self.sdkdll.search_exporttoclipcopy exporttoclipcopy.argtypes = [c_int, c_int, c_wchar_p, c_long, c_long, pointer(c_bool), c_int, c_bool, c_wchar_p, c_bool, c_bool] exporttoclipcopy.restype = c_bool exporttoclipcopy(hsearch, csearch, filename, tfrom, tto, cameras, length, usepassword, pass
Read more