The best way to prevent SQL injection is to filter and escape all data that is submitted back to the background.
For simple situations, such as including single quotes ', semicolons,,, and so on, the characters can be rewrite directly to the 404 page to avoid.
With rewrite there is a prerequisite to know that the general use of rewrite matching can only match the URI of the Web page, that is, the URL in the former part,? The next part is the request parameter.
The request parameter after the question mark, expressed in nginx with $query_string, cannot be matched to in the rewrite and needs to be judged by the IF
For example, the ' match ' with single quotes in the argument is then directed to the error page.
/plus/list.php?tid=19&mid=1124 '
rewrite ^.* ([; ') <>]). */error.html break;
Writing a rewrite like this will certainly not match correctly, because the rewrite parameter only matches the requested URI, which is the/plus/list.php part.
You need to use $query_string to determine if the query string contains special characters and returns 404.
if ($query _string ~* ". *[; <>].* ") {return
404;
}
Here's how to share a configuration file instance:
server {# # Forbidden SQL injection block SQL injections set $block _sql_injections 0; if ($query _string ~ "union.*select.* (") {set $block
_sql_injections 1; } if ($query _string ~ "union.*all.*select.*") {set $block _sql_injections 1;} if ($query _string ~ "concat.* (") {set $blo
Ck_sql_injections 1;
} if ($block _sql_injections = 1) {return 444;} # # Ban file injection set $block _file_injections 0; if ($query _string ~ "[a-za-z0-9_]=http://") {set $block _file_injections 1;} if ($query _string ~ "[a-za-z0-9_]= (.. //?) + ") {set $block _file_injections 1;} if ($query _string ~" [a-za-z0-9_]=/[a-z0-9_.] //?) + ") {set $block _file_injections 1;} if ($block _file_injections = 1) {return 444;} # # to ban overflow attack set $block _common_exploits
0; if ($query _string ~ "(<|%3c). *script.* (>|%3e)") {set $block _common_exploits 1;} if ($query _string ~ "GLOBALS" (=|[| %[0-9a-z]{0,2}) "{Set $block _common_exploits 1;} if ($query _string ~" _request (=|[| %[0-9a-z]{0,2}) "{Set $block _common_exploits 1;} if ($query _string ~" Proc/self/enviRon ") {set $block _common_exploits 1;} if ($query _string ~" mosconfig_[a-za-z_]{1,21} (=|%3d) ") {Set $block _common_exploi
TS 1; if ($query _string ~ "base64_ (en|de) code (. *)") {set $block _common_exploits 1;} if ($block _common_exploits = 1) {return
444;
# # # Forbidden Spam field set $block _spam 0; if ($query _string ~ "B (ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo) b") {set $block _spam 1;} if ($query _string ~ "B (erections|hoodia|huronriveracres|impotence|levitra|libido) b") {set $block _spam 1;} if ($query _string ~ "B" (ambien| Bluespill|cialis|cocaine|ejaculation|erectile) B ") {set $block _spam 1;} if ($query _string ~" B "(lipitor|phentermin|pro[ Sz]ac|sandyauer|tramadol|troyhamby) B ") {set $block _spam 1;} if ($block _spam = 1) {return 444;} # # User-agents set $b
Lock_user_agents 0;
# Don ' t disable wget if you need it to run cron jobs! #if ($http _user_agent ~ "Wget") {# set $block _user_agents 1; #} # Disable Akeeba Remote Control 2.5 and earlier if ($http _user_agent ~ "Indy Library") {Set $block _user_agents 1;
# Common Bandwidth hoggers and hacking tools. if ($http _user_agent ~ "Libwww-perl") {set $block _user_agents 1;} if ($http _user_agent ~ "GetRight") {Set $block _user_a
Gents 1; } if ($http _user_agent ~ "getweb!")
{Set $block _user_agents 1;} if ($http _user_agent ~ "go! Zilla ") {set $block _user_agents 1;} if ($http _user_agent ~" Download Demon ") {set $block _user_agents 1;} if ($http _use r_agent ~ "Go-ahead-got-it") {set $block _user_agents 1;} if ($http _user_agent ~ "Turnitinbot") {Set $block _user_agents
1;
} if ($http _user_agent ~ "Grabnet") {set $block _user_agents 1;}
if ($http _user_agent ~ "Webbench") {set $block _user_agents 1;
} if ($http _user_agent ~ "Apachebench") {set $block _user_agents 1;
} if ($http _user_agent ~ ^$) {set $block _user_agents 1;
} if ($http _user_agent ~ "Python-urllib") {set $block _user_agents 1;
} if ($block _user_agents = 1) {return 444;}}