The group contains SQL injection deny rules for parameter values. The security level Basic prevents injection of new SQL statements (e.g. ; DROP TABLE) and set operations (e.g. UNION SELECT). The security level Standard further prevents injection of SQL sub queries and SQL expressions in single quote context (e.g. ' or 1=1--). The security level Strict further prevents SQLi in unquoted context (e.g. 1 or 1).
Rule name | Basic | Standard | Strict |
|---|---|---|---|
(default 01) SQL injection rule | |||
(default SQL_001a) Expression in unquoted context in parameter value |
| ||
(default SQL_005a) Expression in quoted context in parameter value |
|
| |
(default SQL_020a) Statement in C style comment tag in parameter value |
|
|
|
(default SQL_025a) New statement in unquoted context in parameter value |
|
| |
(default SQL_030a) New statement in quoted context in parameter value |
|
|
|
(default SQL_040a) Sub query in bracket context in parameter value |
| ||
(default SQL_045a) Sub query in parameter value |
|
| |
(default SQL_050a) Condition elimination in unquoted context in parameter value |
| ||
(default SQL_055a) Condition elimination in quoted context in parameter value |
|
| |
(default SQL_060a) Set operator in parameter value |
|
|
|
(default SQL_065a) Special SQL keywords |
|
|
