Invision Community 4: SEO, prepare for v5 and dormant account notifications Matt November 11, 2024Nov 11
Posted November 8, 201113 yr Some hosting companies are using Modsecurity or other security measures to safeguard against SQL injections and as a result, when in the ACP, SQL Toolbox and clicking on the number to view the records for a db table, instead of viewing the list an error will result. Since I'm using .htaccess to catch failed URL's, I'm getting a community message. However I can click to view the table structure and I can also do the query manually at the bottom of the page and have it work (select * from table_name) as the query isn't in the URL directly. So either setting the record number to submit differently should fix it so that it won't create an issue on servers that have this security measure in place.
November 16, 201113 yr Author As an alterative to making the number do a submit, in case that would make it more work just to fix, perhaps including a couple of special commands that would get parsed to get around the issue. Such as the query being 'selectall table_name' would be converted to 'select * from table_name'. The 'selectall' would be a special command and would just be converted to 'select * from'. Gets around the security and should be a minimal code change to implement inside of the SQL toolbox.
November 16, 201113 yr Nah - but we could probably just base64 encode the string, or similar, to get around mod_sec catching it directly in the URL. Would need to investigate.
November 16, 201113 yr Author I'm sure you'll come up with something clever. After contacting my host again, they were able to whitelist it so it's working for me now. But you can imagine there are probably people who won't get such flexibility with their hosts. Thanks.
Archived
This topic is now archived and is closed to further replies.