Due to the huge spur in SQL injection attacks, Sana Ullah has done some great work on some .htaccess rules to protect against such injections. They have been committed to the ColdBox SVN, but we are also sharing here. Please note that all the rules are for ColdBox SES, so make sure to update accordingly.
RewriteEngine on
#SQL Injection Protection --Read More www.cybercrime.gov
#Please use these rules if below words does not conflict with your friendly-urls. You may modify accordingly
RewriteRule ^.*EXEC(@.*$ /notfound.htm [L,F,NC]
RewriteRule ^.*CAST(.*$ /notfound.htm [L,F,NC]
RewriteRule ^.*DECLARE.*$ /notfound.htm [L,F,NC]
RewriteRule ^.*DECLARE%20.*$ /notfound.htm [L,F,NC]
RewriteRule ^.*NVARCHAR.*$ /notfound.htm [L,F,NC]
RewriteRule ^.*sp_password.*$ /notfound.htm [L,F,NC]
RewriteRule ^.*%20xp_.*$ /notfound.htm [L,F,NC]
#Ignore images and this would be last rule --if the condition matched
RewriteRule ^/(.*.(png|gif|jpg|bmp)) /$1 [L,PT,NC]
#Ignore CSS or JS files and this would be last rule --if the condition matched
RewriteRule ^/(.*.(css|js)) /$1 [L,PT,NC]
#Ignore txt/doc/pdf/xls files and this would be last rule --if the condition matched
RewriteRule ^/(.*.(txt|pdf|doc|xls)) /$1 [L,PT,NC]
RewriteRule ^$ index.cfm [QSA]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.cfm/%{REQUEST_URI} [QSA,L]
Blog
Recent Entries
BoxLang AI v3.1 Released - Audio, Async, Parallel Pipelines, and More π€β‘π
BoxLang AI 3.1 is here, and it's a release that makes your agents smarter, faster, and more capable than ever. π
Luis Majano
Luis Majano
April
20,
2026
ColdBox 8.1.0 Released β AI Routing, MCP, and BoxLang-First Power! π
We are thrilled to announce ColdBox 8.1.0, a targeted minor release packed with powerful new features, important improvements, and critical bug fixes across ColdBox, WireBox, and CacheBox. While minor in version number, this release delivers some truly exciting capabilities β especially for BoxLang developers building AI-powered applications.
Luis Majano
Luis Majano
April
14,
2026
ColdFusion Modernization for UK Universities Without Downtime
Across the United Kingdom, many universities still rely on legacy ColdFusion and CFML systems to power student portals, enrollment platforms, research databases, payment gateways, and internal academic workflows.
These systems are often:
- 15 to 25 years old
- Mission-critical
- Deeply integrated with student information systems
- Running on older Adobe ColdFusion or Lucee versions
- Tightly coupled monolithi...
Cristobal Escobar
Cristobal Escobar
April
13,
2026
Add Your Comment
(2)
Aug 08, 2008 19:34:48 UTC
by O?uz Demirkap?
Great work! Thanks :)
Sep 16, 2008 08:47:54 UTC
by Mark Mazelin
Luis:
Great set of rewrite rules! I'm wondering about the rules past the hack attempts. Can you explain why you need to exceptions for images, stylesheets, javascript, misc. files? And why the index.cfm rewrite rule?
Also, it's kinda funny that this blog entry is about hacking and the second comment is comment spam! Ugh...