mod_security can kiss my assSo there's been a problem with this blog, both on the comment side and this admin side where I make my posts. Namely, mod_security, an apache module, seems to be installed on my server and I can't disable it.
What does mod_security do? It scans all data sent to the server, and rejects any that fit a regex indicating it could be a potential SQL Injection.
Now, this sounds like an okay feature, except the regex it uses is completely retarded. And because of this, I'm leaving my server hosting when it's time to pay again. HostGator here I come.
Seriously, it's retarded. If I have the word "from" in my posts, it rejects it sometimes. If I have "create", or "insert", or "create table", it will probably reject it. My last post had 1 = 1^3, and the regex must have picked up "1 = 1", which is commonly used in SQL Injection, and rejected it.
So, what's my fix? I tried disabling mod_security, but that failed. And I was at a loss until using the bathroom tonight. (Funny how lots of my bright ideas come while using the bathroom...)
mod_security is the worst idea-with-good-intentions ever. Seriously, if you don't know how to deal with SQL Injection, and you're making websites, you deserve it when you are inevitably exploited. Apache, don't try to hold dev's hands on this.
Posted on 2010-04-03 by Jach
Trackback URL: https://www.thejach.com/view/2010/4/mod_security_can_kiss_my_ass