Deny Rule Group - (default) SQL Injection (SQLi) in Parameter Value
The group contains SQL injection deny rules for parameter values. The security level Basic prevents injection of new SQL statements (e.g. ; DROP TABLE) and set operations (e.g. UNION SELECT). The security level Standard further prevents injection of SQL sub queries and SQL expressions in single quote context (e.g. ' or 1=1--). The security level Strict further prevents SQLi in unquoted context (e.g. 1 or 1).
SQLI_PARAM_VALUE:
Rule name | Legacy | Basic | Standard | Strict |
---|---|---|---|---|
(default SQL_001A) Expression in unquoted context in parameter value | x | |||
(default SQL_005A) Expression in quoted context in parameter value | x | x | ||
(default SQL_020A) Statement in C style comment tag in parameter value | x | x | x | |
(default SQL_025A) New statement in unquoted context in parameter value | x | x | ||
(default SQL_030A) New statement in quoted context in parameter value | x | x | x | |
(default SQL_040A) Sub query in bracket context in parameter value | x | |||
(default SQL_045A) Sub query in parameter value | x | x | ||
(default SQL_050A) Condition elimination in unquoted context in parameter value | x | |||
(default SQL_055A) Condition elimination in quoted context in parameter value | x | x | ||
(default SQL_060A) Set operator in parameter value | x | x | x | |
(default SQL_065A) Special SQL keywords | x | x |