I’m looking into an issue for a friend of mine.
Basically, my friend has an HTML form that includes a text area. Users should be able to enter any text (think paragraphs) into this field for entry into a database.
The company hosting this new site however, has mod_security installed and configured so that if a user enters any word reserved in SQL (inset, delete, describe, etc), the POST transaction is denied and a 500 error status is returned.
They claim that this is their standard (in order to block injection attacks) and refuse to change the configuration. They also claim that numerous other developers find their way around this.
I myself have quite a bit of experience in the PHP/MySQL world but have never encountered this with a hosting provider.
The only way around this I see would be to filter out the reserved words client-side through JavaScript - however I don’t see this as a viable solution, because users with JavaScript disabled (I am a huge proponent of graful degradation & progressive enhancement) will simply be served an unusable form.
So my questions are:[LIST=1]
[]Do you think the hosting provider is being a bit overzealous to not trust developers to do the proper filtering after the POST but before accessing/updating the database?
[]Do you know of a way around this that does not involve client-side manipulation of the input prior to the POST?[/LIST]Any thoughts or ideas are greatly appreciated.
