httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jerry Stuckle <>
Subject Re: Writing apache module for filtering HTTP request on PHP website
Date Sun, 22 Dec 2013 04:02:47 GMT
On 12/21/2013 10:09 PM, farid ridho wrote:
> I'm going to make simple web application firewall like modsecurity. I want
> to write apache module in C for filtering a web attack like SQL injection.
> I put my web on http://localhost/vulweb my question is, when iam accessing
> http://localhost/vulweb i want the apache module analysis the request
> first, before continuing its to PHP website (if the request is not an
> attack). Can anyone help me to explain how to make a module for this
> purpose? and how to configure this module (sethandler, addhandler)??
> PS: I have already know how to write helloworld apache module with C, and
> run it through http://localhost/helloworld


You should be validating your information in PHP anyway, according to 
exactly what is expected (you can't expect a general purpose module to 
know that something which is valid on one page is invalid on another).

And if you validate your incoming data properly, you solve a lot more 
potential problems than SQL injection.

It just seems to me you're going about this the wrong way - or trying to 
take a short cut which doesn't really short cut anything - it just adds 
a additional layer of unneeded complexity.


View raw message