This article covers the simplest Nginx protection against SQL injection attacks, and the configuration Implementation of file security protection against attacks. For more information, see. The basic SQL Injection principle is as follows: use union all to obtain the contents of other tables (such as the user password of the user table). Defense principles: 1. filter the injection keywords in basic URLs using the above configuration; 2. of course, the user password in the database must be encrypted and stored; 3. the php program performs Secondary Filtering to filter the keywords in GET and POST variables. 4. disable the error message of PHP and MySQL in the production environment. For simple cases, such as single quotation marks ('), semicolons (;), <,>, and other characters, you can use rewrite to directly subscribe to the 404 page. There is a premise to use rewrite. Generally, rewrite is used for regular matching and can only match the URI of the webpage, that is, the url? First part ,? Later parts are request parameters. The request parameters following the question mark are displayed in the $ query_string table in nginx. They cannot be matched in rewrite. if is used to determine the request parameters. For example, match the 'with single quotes in the parameter and then redirect to the error page. The Code is as follows: copy the code/plus/list. php? Tid = 19 & mid = 1124 'rewrite ^. * ([; '<>]). */error.html break; writing such a rewrite directly will certainly not match correctly, because the rewrite parameter will only match the requested uri, that is,/plus/list. php section. You need to use $ query_string to determine with if. if the query string contains special characters, 404 is returned. The Code is as follows: copy the Code if ($ query_string ~ *". * [; '<>]. * ") {Return 404;} SQL injection attacks are usually the request parameters following the question mark. In nginx, $ query_string indicates the following code: copy the Code if ($ request_uri ~ * "(Cost () | (concat ()") {return 404;} if ($ request_uri ~ * "[+ | (% 20)] union [+ | (% 20)]") {return 404;} if ($ request_uri ~ * "[+ | (% 20)] and [+ | (% 20)]") {return 404;} if ($ request_uri ~ * "[+ | (% 20)] select [+ | (% 20)]") {return 404;} if ($ query_string ~ *". * [; '<>]. * ") {Return 404;} prevent SQL injection attacks by adding the following configuration to the server segment of the VM: copy the code below if ($ request_uri ~ *(. *) (Insert | select | delete | update | count | * | % | master | truncate | declare | '|; | and | or | (|) | exec )(. *) $) {rewrite ^ (. *) 11 redirect;} Of course, we can also return the 404 error: the code is as follows: copy the Code if ($ request_uri ~ *(. *) (Insert | select | delete | update | count | * | % | master | truncate | declare | '|; | and | or | (|) | exec )(. *) $) {return 404;} Add the following fields to the configuration file: server {## Block SQL injections set $ block_ SQL _injections 0; if ($ query_string ~ "Union. * select. * (") {set $ block_ SQL _injections 1;} if ($ query_string ~ "Union. * all. * select. *") {set $ block_ SQL _injections 1;} if ($ query_string ~ "Concat. * (") {set $ block_ SQL _injections 1;} if ($ block_ SQL _injections = 1) {return 444 ;## disable file injection set $ block_file_injections 0; if ($ query_string ~ "[A-zA-Z0-9 _] = http: //") {set $ block_file_injections 1;} if ($ query_string ~ "[A-zA-Z0-9 _] = (..//?) + ") {Set $ block_file_injections 1;} if ($ query_string ~ "[A-zA-Z0-9 _] =/([a-z0-9 _.] //?) + ") {Set $ block_file_injections 1;} if ($ block_file_injections = 1) {return 444 ;## block overflow attack set $ block_common_exploits 0; if ($ query_string ~ "(<| % 3C). * script. * (> | % 3E)") {set $ block_common_exploits 1;} if ($ query_string ~ "GLOBALS (= | [| % [0-9A-Z] {0, 2})") {set $ block_common_exploits 1;} if ($ query_string ~ "_ REQUEST (= | [| % [0-9A-Z] {0, 2})") {set $ block_common_exploits 1;} if ($ query_string ~ "Proc/self/environ") {set $ block_common_exploits 1;} if ($ query_string ~ "MosConfig _ [a-zA-Z _] {} (= | % 3D)") {set $ block_common_exploits 1;} if ($ query_string ~ "Base64_( en | de) code (. *) ") {set $ block_common_exploits 1;} if ($ block_common_exploits = 1) {return 444 ;## disable the spam field set $ block_spam 0; if ($ query_string ~ "B (ultram | unicauca | valium | viagra | vicodin | xanax | ypxaieo) B") {set $ block_spam 1;} if ($ query_string ~ "B (erections | hoodia | huronriveracres | impotence | levitra | libido) B") {set $ block_spam 1;} if ($ query_string ~ "B (ambien | bluespill | cialis | cocaine | ejaculation | erectile) B") {set $ block_spam 1;} if ($ query_string ~ "B (lipitor | phentermin | pro [sz] ac | sandyauer | tramadol | troyhamby) B") {set $ block_spam 1;} if ($ block_spam = 1) {return 444 ;}## disable user-agents set $ block_user_agents 0; # Don't disable wget if you need it to run cron jobs! # If ($ http_user_agent ~ "Wget") {# set $ block_user_agents 1 ;#}# Disable Akeeba Remote Control 2.5 and earlier if ($ http_user_agent ~ "Indy Library") {set $ block_user_agents 1 ;}# Common bandwidth hoggers and hacking tools. if ($ http_user_agent ~ "Libwww-perl") {set $ block_user_agents 1;} if ($ http_user_agent ~ "GetRight") {set $ block_user_agents 1;} if ($ http_user_agent ~ "GetWeb !") {Set $ block_user_agents 1;} if ($ http_user_agent ~ "Go! Zilla ") {set $ block_user_agents 1;} if ($ http_user_agent ~ "Download Demon") {set $ block_user_agents 1;} if ($ http_user_agent ~ "Go-Ahead-Got-It") {set $ block_user_agents 1;} if ($ http_user_agent ~ "TurnitinBot") {set $ block_user_agents 1;} if ($ http_user_agent ~ "GrabNet") {set $ block_user_agents 1;} if ($ http_user_agent ~ "Webinterfaces") {set $ block_user_agents 1;} if ($ http_user_agent ~ "Apachetasks") {set $ block_user_agents 1;} if ($ http_user_agent ~ ^ $) {Set $ block_user_agents 1;} if ($ http_user_agent ~ "Python-urllib") {set $ block_user_agents 1;} if ($ block_user_agents = 1) {return 444 ;}}