SQL Injection, URLscan, and BE.net querystrings

Oct 3, 2008 at 3:39 PM
Edited Oct 3, 2008 at 3:45 PM
On our web server, we have URLScan installed to watch over all the sites and prevent SQL Injection attacks in case there was code that wasn't written correctly on any of the sites. Among other things, it checks for all the basic SQL Injection words in the querystring, including "delete".

This causes a problem with BE.net because the delete entry querystring has "deletepost" in it, thereby triggering the URLscan filter.

I have two choices here... I can disable the filter for the word "delete" (which I don't want to do becuase I am not confident some of the older sites - which I don't control - on the server are immune to SQL injection), or I can alter the BE.net source to use a different word in the querystrings (which I don't want to do because I will have to remember to make the change every time I upgrade in the future).

For security reasons, I'll probably go with the second option (if I can figure out how), but for me personally, it would be best if future versions of BE.net would not use words like "delete", "insert", etc. in its querystrings. Perhaps other users feel the same.
Oct 3, 2008 at 11:22 PM
I think you should add this as an issue. I'll vote for this one.