Developer forum

Forum » CMS - Standard features » SQL Injection ban

SQL Injection ban

Jonas Mersholm
Reply

Dear DW forum,

I have a site, containing custom code, which performs some CRUD actions on the database.

Now, whats happening is (even though im using bound statements) that the SQL injection check is firing a ban command at my ip, even though i checked the "Do not ban ip's" checkbox in the "Security" settings. 

How come, it still bans the ip? and is there a way for me to check some logs, somewhere, to figure what part of my prepared statements, it thinks is an injection?

best regards.

Jonas


Replies

 
Nicolai Høeg Pedersen
Reply

Hi Jonas

There are no log.

But - a bug, and that is why the checkbox that does not work.

In your globalsettings.aspx you have a node, <DoNotBanIps>True</DoNotBanIps>, that is inside <http> node. It has to be inside the <security> node.

Just made a bugfix so this will not happen - but until then.

You cannot have SQL statements or what looks like it in your URL - that will get you banned. But you can disable SQL-Injection check in your MC - then you should be home free.

If you let me know what you send to your module which gets you banned, I can tell you why you get caught.

Nicolai

 

You must be logged in to post in the forum