Blog

.htacces rules to protect against SQL Injection attacks

ColdBox MVC, Tutorials, Tutorials
Luis Majano October 15, 2008

Spread the word

Luis Majano

October 15, 2008

Spread the word

Share your thoughts

Ortus Solutions

Due to the huge spur in SQL injection attacks, Sana Ullah has done some great work on some .htaccess rules to protect against such injections. They have been committed to the ColdBox SVN, but we are also sharing here. Please note that all the rules are for ColdBox SES, so make sure to update accordingly. RewriteEngine on #SQL Injection Protection --Read More www.cybercrime.gov #Please use these rules if below words does not conflict with your friendly-urls. You may modify accordingly RewriteRule ^.*EXEC(@.*$ /notfound.htm [L,F,NC] RewriteRule ^.*CAST(.*$ /notfound.htm [L,F,NC] RewriteRule ^.*DECLARE.*$ /notfound.htm [L,F,NC] RewriteRule ^.*DECLARE%20.*$ /notfound.htm [L,F,NC] RewriteRule ^.*NVARCHAR.*$ /notfound.htm [L,F,NC] RewriteRule ^.*sp_password.*$ /notfound.htm [L,F,NC] RewriteRule ^.*%20xp_.*$ /notfound.htm [L,F,NC] #Ignore images and this would be last rule --if the condition matched RewriteRule ^/(.*.(png|gif|jpg|bmp)) /$1 [L,PT,NC] #Ignore CSS or JS files and this would be last rule --if the condition matched RewriteRule ^/(.*.(css|js)) /$1 [L,PT,NC] #Ignore txt/doc/pdf/xls files and this would be last rule --if the condition matched RewriteRule ^/(.*.(txt|pdf|doc|xls)) /$1 [L,PT,NC] RewriteRule ^$ index.cfm [QSA] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^(.*)$ index.cfm/%{REQUEST_URI} [QSA,L]

Add Your Comment

(2)

Aug 08, 2008 19:34:48 UTC

by O?uz Demirkap?

Great work! Thanks :)

Sep 16, 2008 08:47:54 UTC

by Mark Mazelin

Luis: Great set of rewrite rules! I'm wondering about the rules past the hack attempts. Can you explain why you need to exceptions for images, stylesheets, javascript, misc. files? And why the index.cfm rewrite rule? Also, it's kinda funny that this blog entry is about hacking and the second comment is comment spam! Ugh...

Recent Entries

BoxLang AI: The Foundation for Real-World AI Systems!

BoxLang AI: The Foundation for Real-World AI Systems!

BoxLang AI: From AI Experiments to Real-World Systems!

Why we built BoxLang AI?

AI is everywhere. New models, new tools, new announcements every week. But for most teams, the real challenge isn’t choosing ...

Victor Campos
Victor Campos
January 30, 2026
Speaker Featuring - Round 1

Speaker Featuring - Round 1

Every conference is more than the talks we see on stage it’s also the story of the people who make it possible.

With the first round of Into the Box 2026 sessions and workshops now live, we’re excited to introduce some of the speakers who will be joining us this year. These community members, practitioners, and Ortus team experts bring decades of real-world experience across CFML, BoxLang, JVM modernization, testing, AI, and cloud-native development.

Victor Campos
Victor Campos
January 26, 2026
First Round of the Into the Box 2026 Agenda Is Live

First Round of the Into the Box 2026 Agenda Is Live

Into the Box 2026 marks an important moment for the CFML and BoxLang community not just because of what’s on the agenda, but because of what it represents: 20 years of Ortus Solutions helping teams move forward, modernize, and build with confidence.

Victor Campos
Victor Campos
January 21, 2026