SQL Injection questions

[protection]

Hello –

If somebody types in a certain phrase on my site with quotes, they’ll get directed to the page stating 403 Forbidden Error. I’m pretty sure this is to safeguard SQL Injection attacks. For example, the search for “transcript” contains the string script, so this is being blocked. There’s no problem when quotes are omitted.

Is there a way to disable this, and if so, is it very risky? Is there a way to whitelist certain keywords?

Thanks

EDIT: I did notice the following within the .htaccess file, which seems to be what’s doing the blocking:

RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|script|set|md5|benchmark|encode) [NC,OR]

Is it possible to make the aforementioned keywords exact matches, so that a search for “transcript” won’t be considered a SQL injection attempt? This would be preferable to whitelisting keywords.

[AITpro Admin]

The optimum solution would be to have your search form remove/strip the double quotes code characters, but that would most likely be too complicated to do. So you can either remove the double quotes code characters or remove script from the SQL Injection security rule as shown below. Typically single quote code characters are used in SQL Injection attacks. So it is relatively safe to remove double quotes code characters. To save your htaccess code modifications permanently you would make and save your htaccess code edits in this BPS Root Custom Code text box: 12. CUSTOM CODE BPSQSE BPS QUERY STRING EXPLOITS. If you do not see any htaccess code in this text box then copy the entire BPS Query String Exploits htaccess code from your root htaccess file into this text box and edit it, save your changes and activate Root folder BulletProof Mode.

Double quotes code characters removed

RewriteCond %{QUERY_STRING} (;|<|>|'|\)|%0A|%0D|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]

script removed

RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|set|md5|benchmark|encode) [NC,OR]

[protection]

Thanks so much for the quick response! What would be the bare minimum keywords/strings that I’d need to keep in that line? In other words, can I safely remove set and update?

For what it’s worth, I’m using the Relevanssi plugin for searches on my site. According to the developer, “it’s not possible to do a SQL injection attack through Relevanssi search, all search terms are escaped and safe. Blocking can be used to keep these queries from polluting your logs, but it’s not necessary for security.“

[AITpro Admin]

SELECT, INSERT and DELETE are the most commonly used commands in SQL Injection attacks.  The SET command is used less frequently and the UPDATE command is used even less frequently.

The BPS security rule processes the search Query String before it is processed by the Relevanssi plugin’s search form processing code.  That is why I previously said that stripping out double quotes code characters would probably be too difficult to do.

So what I recommend that you do is to remove the double quotes code characters:  ” and %22 and don’t remove any SQL commands.  Almost all SQL Injection attacks use the apostrophe or single quote code character.

[protection]

Great, thanks so much!

[Author]

Posts