November 8, 2011 in Feedback
Some hosting companies are using Modsecurity or other security measures to safeguard against SQL injections and as a result, when in the ACP, SQL Toolbox and clicking on the number to view the records for a db table, instead of viewing the list an error will result. Since I'm using .htaccess to catch failed URL's, I'm getting a community message. However I can click to view the table structure and I can also do the query manually at the bottom of the page and have it work (select * from table_name) as the query isn't in the URL directly.
So either setting the record number to submit differently should fix it so that it won't create an issue on servers that have this security measure in place.
As an alterative to making the number do a submit, in case that would make it more work just to fix, perhaps including a couple of special commands that would get parsed to get around the issue. Such as the query being 'selectall table_name' would be converted to 'select * from table_name'. The 'selectall' would be a special command and would just be converted to 'select * from'. Gets around the security and should be a minimal code change to implement inside of the SQL toolbox.
Nah - but we could probably just base64 encode the string, or similar, to get around mod_sec catching it directly in the URL. Would need to investigate.
I'm sure you'll come up with something clever. After contacting my host again, they were able to whitelist it so it's working for me now. But you can imagine there are probably people who won't get such flexibility with their hosts. Thanks.
This topic is now archived and is closed to further replies.
Started 1 hour ago
Started Saturday at 04:16 PM
Started Tuesday at 02:27 PM