Due to the huge spur in SQL injection attacks, Sana Ullah has done some great work on some .htaccess rules to protect against such injections. They have been committed to the ColdBox SVN, but we are also sharing here. Please note that all the rules are for ColdBox SES, so make sure to update accordingly.
RewriteEngine on
#SQL Injection Protection --Read More www.cybercrime.gov
#Please use these rules if below words does not conflict with your friendly-urls. You may modify accordingly
RewriteRule ^.*EXEC(@.*$ /notfound.htm [L,F,NC]
RewriteRule ^.*CAST(.*$ /notfound.htm [L,F,NC]
RewriteRule ^.*DECLARE.*$ /notfound.htm [L,F,NC]
RewriteRule ^.*DECLARE%20.*$ /notfound.htm [L,F,NC]
RewriteRule ^.*NVARCHAR.*$ /notfound.htm [L,F,NC]
RewriteRule ^.*sp_password.*$ /notfound.htm [L,F,NC]
RewriteRule ^.*%20xp_.*$ /notfound.htm [L,F,NC]
#Ignore images and this would be last rule --if the condition matched
RewriteRule ^/(.*.(png|gif|jpg|bmp)) /$1 [L,PT,NC]
#Ignore CSS or JS files and this would be last rule --if the condition matched
RewriteRule ^/(.*.(css|js)) /$1 [L,PT,NC]
#Ignore txt/doc/pdf/xls files and this would be last rule --if the condition matched
RewriteRule ^/(.*.(txt|pdf|doc|xls)) /$1 [L,PT,NC]
RewriteRule ^$ index.cfm [QSA]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.cfm/%{REQUEST_URI} [QSA,L]
Blog
Recent Entries
12 days of BoxLang - Day 3: SocketBox!
As BoxLang continues evolving into a modern, high-performance, JVM-based runtime, real-time communication becomes essential for the applications we all want to build: dashboards, collaboration tools, notifications, live feeds, multiplayer features, and more.
That’s where SocketBox steps in — the WebSocket upgrade listener built to work seamlessly with CommandBox and the BoxLang MiniServer. ⚡
Today, for Day 3, we’re highlighting how SocketBox supercharges BoxLang development by giving you fast, flexible, and framework-agnostic WebSocket capabilities.
12 Days of BoxLang - Day 2: CommandBox
BoxLang + CommandBox: The Enterprise Engine Behind Your Deployments
For Day 2 of our 12 Days of Christmas series, we’re diving into one of the most powerful parts of the BoxLang ecosystem: CommandBox the defacto enterprise servlet deployment platform for BoxLang.
If BoxLang is the language powering your applications, CommandBox is the engine room behind it all. ⚙️
12 Days of BoxLang - Day 1: ColdBox
ColdBox + BoxLang: The Future of Modern MVC on the JVM Welcome to Day 1 of the 12 Days of BoxLang
To kick off the series, we’re starting with one of the most powerful combinations in the Ortus ecosystem: ColdBox + BoxLang.
ColdBox has been the standard for modern CFML MVC development for over a decade. BoxLang is the next-generation dynamic language built for JVM and beyond. Together, they reshape how developers build web apps, APIs, microservices, CLIs, and soon desktop applications.
Let’s dive into why ColdBox 8 + BoxLang PRIME is a major milestone for the future of modern application development.
Add Your Comment
(2)
Aug 08, 2008 19:34:48 UTC
by O?uz Demirkap?
Great work! Thanks :)
Sep 16, 2008 08:47:54 UTC
by Mark Mazelin
Luis: Great set of rewrite rules! I'm wondering about the rules past the hack attempts. Can you explain why you need to exceptions for images, stylesheets, javascript, misc. files? And why the index.cfm rewrite rule? Also, it's kinda funny that this blog entry is about hacking and the second comment is comment spam! Ugh...