PHP Mod_Security2 and POST/GET SQL from TextArea

  • devilwood
  • Silver Member
  • Silver Member
  • User avatar
  • Posts: 436

Post 3+ Months Ago

I wanted a quicker way to run SQL on my application. I have a secure admin panel which I wanted to add a page that had a query window for quickly running queries mostly for debugging. I put together the one textarea form and posted the variable and I got a 500 internal server error. I finally figured out that it must be Mod_security that is not allowing the query via POST or GET. I post SELECT with no problems. I can post SELECT * with not problems. But as soon as I post SELECT * FROM i get the error.

Is there a way to limit Mod_security without completely enabling SQL Posts? I'm hesitant to just disable it entirely for one page out of the whole site that needs it.

It would be nice if there was a workaround to securely build my own SQL query window.
  • devilwood
  • Silver Member
  • Silver Member
  • User avatar
  • Posts: 436

Post 3+ Months Ago

I think adding a directive

Code: [ Select ]

<Location /myscript.php>
SecFilterScanPOST Off
</Location>
  1. <Location /myscript.php>
  2. SecFilterScanPOST Off
  3. </Location>


I'm using Cpanel. Can I just add this to my Mod Security addon config file manager? I see all the rules but nothing really looks like an apache config file. I assume mod sec config file is just included in the apache config file so the above code should work inside the mod sec config file, right?

I have modsec2 so I don't think i can override with htaccess and I was unsure if just adding to my apache config due to the order of directives. My only other option would be to edit the httpd.conf at post VirtualHost include.

Can someone please verify this for me?

Also, does the Location path start at the root web or my public_html/?
  • MarPlo
  • Novice
  • Novice
  • MarPlo
  • Posts: 34

Post 3+ Months Ago

Hi
You could use other word for FROM in your query passed via Post, than, in the script replace that word with FROM.
  • devilwood
  • Silver Member
  • Silver Member
  • User avatar
  • Posts: 436

Post 3+ Months Ago

I'm going to try that. I haven't had a chance until this week to go back to it. I've also got some things I can try to just keep that one script from using modsec but it requires an apache restart so I gotta do it after hours.

The FROM change may be best depending on how much of the string is compared. Thanks for your suggestions. I'm going to try it, if anything, just to see the rate of comparison.

Post Information

  • Total Posts in this topic: 4 posts
  • Users browsing this forum: No registered users and 78 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
cron
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.