Summary of Nginx protection against SQL injection attacks

Basic SQL injection principles:

Get the content of other tables through union all union query (for example, the user password of the user table)
Defense principle:
1. Filter the injection keywords in the basic url through the above configuration;
2. Of course, the user password in the database must be encrypted and stored;
3. The php program performs secondary filtering to filter keywords in GET and POST variables;
4. Disable the error message of PHP and MySQL in the production environment.

For simple cases, such as single quotation marks ('), semicolons (;), <,>, and other characters, you can use rewrite to directly subscribe to the 404 page.
 
There is a premise to use rewrite. Generally, rewrite is used for regular matching and can only match the URI of the webpage, that is, the url? First part ,? Later parts are request parameters.
 
The request parameters following the question mark are displayed in the $ query_string table in nginx. They cannot be matched in rewrite. if is required
 
For example, match the 'with single quotes in the parameter and then direct it to the error page,
 

The code is as follows:	Copy code
/Plus/list. php? Tid = 19 & mid = 1124'   Rewrite ^. * ([; '<>]). */error.html break;

 
Directly writing such an rewrite will certainly not match correctly, because the rewrite parameter will only match the requested uri, that is, the/plus/list. php part.
 
You need to use $ query_string to determine with if. if the query string contains special characters, 404 is returned.
 

The code is as follows:	Copy code
If ($ query_string ~ * ". * [; '<>]. *") { Return 404; }

SQL injection attacks are generally the request parameters following the question mark, which are represented by $ query_string in nginx.

 

The code is as follows:	Copy code
If ($ request_uri ~ * "(Cost () | (concat ()"){ Return 404;         } If ($ request_uri ~ * "[+ | (% 20)] union [+ | (% 20)]") { Return 404;         } If ($ request_uri ~ * "[+ | (% 20)] and [+ | (% 20)]") { Return 404;         } If ($ request_uri ~ * "[+ | (% 20)] select [+ | (% 20)]") { Return 404;         } If ($ query_string ~ * ". * [; '<>]. *") { Return 404; }

Prevent SQL injection attacks

Add the following configurations to the server segment of the VM:

The code is as follows:	Copy code
If ($ request_uri ~ *(. *) (Insert | select | delete | update | count | * | % | master | truncate | declare | '|; | and | or | (|) | exec )(. *) $) {rewrite ^ (. *) 11 redirect ;}

Of course, we can also return the 404 error:

The code is as follows:	Copy code
If ($ request_uri ~ *(. *) (Insert | select | delete | update | count | * | % | master | truncate | declare | '|; | and | or | (|) | exec )(. *) $) {return 404 ;}

Other methods

Add the following fields to the configuration file:

The code is as follows:

Copy code

Server { # Block SQL injections for SQL injection Set $ block_ SQL _injections 0; If ($ query_string ~ "Union. * select. * (") { Set $ block_ SQL _injections 1; } If ($ query_string ~ "Union. * all. * select .*"){ Set $ block_ SQL _injections 1; } If ($ query_string ~ "Concat. * (") { Set $ block_ SQL _injections 1; } If ($ block_ SQL _injections = 1 ){ Return 444; } # Disable file injection Set $ block_file_injections 0; If ($ query_string ~ "[A-zA-Z0-9 _] = http ://"){ Set $ block_file_injections 1; } If ($ query_string ~ "[A-zA-Z0-9 _] = (..//?) + "){ Set $ block_file_injections 1; } If ($ query_string ~ "[A-zA-Z0-9 _] =/([a-z0-9 _.] //?) + "){ Set $ block_file_injections 1; } If ($ block_file_injections = 1 ){ Return 444; } # Preventing overflow attacks Set $ block_common_exploits 0; If ($ query_string ~ "(<| % 3C). * script. * (> | % 3E )"){ Set $ block_common_exploits 1; } If ($ query_string ~ "GLOBALS (= | [| % [0-9A-Z] {0, 2 })"){ Set $ block_common_exploits 1; } If ($ query_string ~ "_ REQUEST (= | [| % [0-9A-Z] {0, 2 })"){ Set $ block_common_exploits 1; } If ($ query_string ~ "Proc/self/environ "){ Set $ block_common_exploits 1; } If ($ query_string ~ "MosConfig _ [a-zA-Z _] {} (= | % 3D )"){ Set $ block_common_exploits 1; } If ($ query_string ~ "Base64 _ (en | de) code (.*)"){ Set $ block_common_exploits 1; } If ($ block_common_exploits = 1 ){ Return 444; } # Disable the spam field Set $ block_spam 0; If ($ query_string ~ "B (ultram | unicauca | valium | viagra | vicodin | xanax | ypxaieo) B "){ Set $ block_spam 1; } If ($ query_string ~ "B (erections | hoodia | huronriveracres | impotence | levitra | libido) B "){ Set $ block_spam 1; } If ($ query_string ~ "B (ambien | bluespill | cialis | cocaine | ejaculation | erectile) B "){ Set $ block_spam 1; } If ($ query_string ~ "B (lipitor | phentermin | pro [sz] ac | sandyauer | tramadol | troyhamby) B "){ Set $ block_spam 1; } If ($ block_spam = 1 ){ Return 444; } # Disable user-agents Set $ block_user_agents 0; # Don't disable wget if you need it to run cron jobs! # If ($ http_user_agent ~ "Wget "){ # Set $ block_user_agents 1; #} # Disable Akeeba Remote Control 2.5 and earlier If ($ http_user_agent ~ "Indy Library "){ Set $ block_user_agents 1; } # Common bandwidth hoggers and hacking tools. If ($ http_user_agent ~ "Libwww-perl "){ Set $ block_user_agents 1; } If ($ http_user_agent ~ "GetRight "){ Set $ block_user_agents 1; } If ($ http_user_agent ~ "GetWeb !") { Set $ block_user_agents 1; } If ($ http_user_agent ~ "Go! Zilla "){ Set $ block_user_agents 1; } If ($ http_user_agent ~ "Download Demon "){ Set $ block_user_agents 1; } If ($ http_user_agent ~ "Go-Ahead-Got-It "){ Set $ block_user_agents 1; } If ($ http_user_agent ~ "TurnitinBot "){ Set $ block_user_agents 1; } If ($ http_user_agent ~ "GrabNet "){ Set $ block_user_agents 1; } If ($ http_user_agent ~ "WebSockets "){ Set $ block_user_agents 1;     } If ($ http_user_agent ~ "Apachetasks "){ Set $ block_user_agents 1;     } If ($ http_user_agent ~ ^ $ ){ Set $ block_user_agents 1;     } If ($ http_user_agent ~ "Python-urllib "){ Set $ block_user_agents 1;     } If ($ block_user_agents = 1 ){ Return 444; } }