@Api\Security\CheckInjections
Check incoming request for SQL Injections
The @Api\Security\CheckInjections()
annotation allows you perform a very basic check of the incoming
POST
and GET
variables. It searches for typical SQL-injection patterns like "; SELECT ...
and
automatically locks all requests from the current IP for 24 hours.
We know this: checking for typical SQL injection patterns at this level is not very reliable. There are many sneaky methods and patterns that could be missed by this check. And it should never be be a substitute for securing your database queries and sanitizing the variables before writing them to the database.
On the other hand: have you ever had a look in one of your server log files? You will see tons of requests from bots using patterns that would be successfully blocked by using this annotation. And keeping bots out of the system as soon as possible is always sensible.
The basic syntax is:
@Api\Security\CheckInjections( $autoLockIp )
An example would be:
// Check for typical injection-patterns and lock IP if an attempt was detected
@Api\Security\CheckInjections()
// Check, but don't automatically lock the IP
@Api\Security\CheckInjections( false )
Full example:
<?php
namespace My\Extension\Api;
use Nng\Nnrestapi\Annotations as Api;
use Nng\Nnrestapi\Api\AbstractApi;
/**
* @Api\Endpoint()
*/
class Example extends AbstractApi
{
/**
* (!) Note that we also need to add CheckLocked() for this to work
* This could also be done globally in the TypoScript setup
*
* @Api\Security\CheckInjections()
* @Api\Security\CheckLocked()
* @Api\Access("public")
*
* @return array
*/
public function getSettingsAction()
{
return ['nice'=>'result'];
}
}
Globally activating an injection test
If you would like to globally check for SQL injections for every endpoint, you do to not need
to add @Api\Security\CheckInjections()
to every endpoint manually. Instead you can
set up a global check using this TypoScript setup:
plugin.tx_nnrestapi {
settings {
security {
defaults {
10 = \Nng\Nnrestapi\Utilities\Security->checkInjections
20 = \Nng\Nnrestapi\Utilities\Security->checkLocked
}
}
}
}
Hint
The \nn\rest::Security()
-Helper has many useful methods in case you would like
to handle checking for limits and locking users manually.
Have a look at \Nng\Nnrestapi\Utilities\Security
for more details.
// manually lock an IP for 5 minutes
\nn\rest::Security( $this->request )->lockIp( 300, 'Reason why...' );
// unlock the IP
\nn\rest::Security( $this->request )->unlockIp();