Not signed in (Sign In)
SkillShare - A place to discuss Web Standards and Web Design topics
Categories
Vanilla 1.1.9 is a product of Lussumo. More Information: Documentation, Community Support.
- Friends
-
I'm looking into an issue for a friend of mine.
Basically, my friend has an HTML form that includes a text area. Users should be able to enter any text (think paragraphs) into this field for entry into a database.
The company hosting this new site however, has mod_security installed and configured so that if a user enters any word reserved in SQL (inset, delete, describe, etc), the POST transaction is denied and a 500 error status is returned.
They claim that this is their standard (in order to block injection attacks) and refuse to change the configuration. They also claim that numerous other developers find their way around this.
I myself have quite a bit of experience in the PHP/MySQL world but have never encountered this with a hosting provider.
The only way around this I see would be to filter out the reserved words client-side through JavaScript - however I don't see this as a viable solution, because users with JavaScript disabled (I am a huge proponent of graful degradation & progressive enhancment) will simply be served an unusable form.
So my questions are:
1. Do you think the hosting provider is being a bit overzealous to not trust developers to do the proper filtering after the POST but before accessing/updating the database?
2. Do you know of a way around this that does not involve client-side manipulation of the input prior to the POST?
Any thoughts or ideas are greatly appreciated.
-adam -
-
CommentAuthorkari.patila
- CommentTimeAug 3rd 2007
1. Yes, it certainly seems that way.
2. Sounds pretty impossible to change the input prior to POST without doing it on the client side.
Something like describe<span></span> might work, but that's just stupid. mod_security should be looking for the whole syntax of a query instead of a single word. -
-
yeah that really sucks.
have you tried looking into REGEXP?
http://us3.php.net/manual/en/function.preg-replace.php
all you need is an array of the words you want to check for and an array of words you want to replace them with. In the opposite array order.
check out Example 1697 on that link. -
@kari.patila Thanks, I've recommended that they either get the hosting provider to make the needed changes to their setup, or go with a different provider.
@jernigani - thanks for the suggestion, however, I don't think that this would be possible to do prior to the POST. -
ah, so they check it before the server sends the post to your processing page? wow, that seems obsessive of them. :D
I think javascript has regexp replacing as well
This page has some really good documentation about it. http://www.evolt.org/article/Regular_Expressions_in_JavaScript/17/36435/
excerpt from page
String.replace(pattern,string)
Replaces matches with the given string, and returns the edited string. var str = "Liorean said: My name is Liorean!".replace(/Liorean/g,'Big Fat Dork')
str then contains "Big Fat Dork said: My name is Big Fat Dork!"
I'm not sure if you want to go to such great lengths to replace the text, but you can do it with javascript. -
- CommentAuthordmitryseliv
- CommentTimeAug 7th 2007
Get a new provider.
I never heard that somebody even using this option for security reason.
Cheers, DS
1 to 6 of 6