Forum management
- Threads started by me
- Threads I participate in

Developer forum

SQL Injection ban

Jonas Mersholm

Posted on 18/02/2014 11:25:27

Dear DW forum,

I have a site, containing custom code, which performs some CRUD actions on the database.

Now, whats happening is (even though im using bound statements) that the SQL injection check is firing a ban command at my ip, even though i checked the "Do not ban ip's" checkbox in the "Security" settings.

How come, it still bans the ip? and is there a way for me to check some logs, somewhere, to figure what part of my prepared statements, it thinks is an injection?

best regards.

Jonas

Replies

Nicolai Høeg Pedersen

Posted on 19/02/2014 10:31:25

Hi Jonas

There are no log.

But - a bug, and that is why the checkbox that does not work.

In your globalsettings.aspx you have a node, <DoNotBanIps>True</DoNotBanIps>, that is inside <http> node. It has to be inside the <security> node.

Just made a bugfix so this will not happen - but until then.

You cannot have SQL statements or what looks like it in your URL - that will get you banned. But you can disable SQL-Injection check in your MC - then you should be home free.

If you let me know what you send to your module which gets you banned, I can tell you why you get caught.

Nicolai

You must be logged in to post in the forum