Due to the huge spur in SQL injection attacks, Sana Ullah has done some great work on some .htaccess rules to protect against such injections. They have been committed to the ColdBox SVN, but we are also sharing here. Please note that all the rules are for ColdBox SES, so make sure to update accordingly.
RewriteEngine on
#SQL Injection Protection --Read More www.cybercrime.gov
#Please use these rules if below words does not conflict with your friendly-urls. You may modify accordingly
RewriteRule ^.*EXEC(@.*$ /notfound.htm [L,F,NC]
RewriteRule ^.*CAST(.*$ /notfound.htm [L,F,NC]
RewriteRule ^.*DECLARE.*$ /notfound.htm [L,F,NC]
RewriteRule ^.*DECLARE%20.*$ /notfound.htm [L,F,NC]
RewriteRule ^.*NVARCHAR.*$ /notfound.htm [L,F,NC]
RewriteRule ^.*sp_password.*$ /notfound.htm [L,F,NC]
RewriteRule ^.*%20xp_.*$ /notfound.htm [L,F,NC]
#Ignore images and this would be last rule --if the condition matched
RewriteRule ^/(.*.(png|gif|jpg|bmp)) /$1 [L,PT,NC]
#Ignore CSS or JS files and this would be last rule --if the condition matched
RewriteRule ^/(.*.(css|js)) /$1 [L,PT,NC]
#Ignore txt/doc/pdf/xls files and this would be last rule --if the condition matched
RewriteRule ^/(.*.(txt|pdf|doc|xls)) /$1 [L,PT,NC]
RewriteRule ^$ index.cfm [QSA]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.cfm/%{REQUEST_URI} [QSA,L]
Blog
Recent Entries
Partner with BoxLang and Ortus at Into the Box 2025: Empowering the Future of Modern Software Development!
At Ortus Solutions, we’ve always been at the forefront of innovation in the ColdFusion ecosystem. From pioneering modern ColdFusion practices to developing cutting-edge tools and frameworks, we’ve been passionate to help and sup[port the community into shaping the future of web development.That’s why we decided to build BoxLang, our new JVM programming language that not only builds on the strengths of ColdFusion but takes modern software development to the next level.
Ortus Solutions & BoxLang at Jfokus 2025: Silver Sponsor and Innovator
We’re thrilled to announce that Ortus Solutions, through BoxLang, will be participating as a Silver Sponsor at the prestigious Jfokus 2025 conference! Taking place in Stockholm, Sweden, from February 3 to 5, Jfokus is one of the premier developer conferences in Europe, bringing together thousands of tech enthusiasts, thought leaders, and industry professionals.
Why BoxLang When You Have Kotlin, Groovy, Scala, and more…
As we approach a stable release of BoxLang and our continued marketing reaches more folks, many have asked about its purpose. Why create a new language when the JVM ecosystem already includes established languages like Kotlin, Groovy, and Scala, to name a few.
Add Your Comment
(2)
Aug 08, 2008 19:34:48 UTC
by O?uz Demirkap?
Great work! Thanks :)
Sep 16, 2008 08:47:54 UTC
by Mark Mazelin
Luis: Great set of rewrite rules! I'm wondering about the rules past the hack attempts. Can you explain why you need to exceptions for images, stylesheets, javascript, misc. files? And why the index.cfm rewrite rule? Also, it's kinda funny that this blog entry is about hacking and the second comment is comment spam! Ugh...