Apache Mod Security SQL Injections and Variable Names

We recently upgraded our server which was running a higher version of apache Mod Security. One of my jQuery edit in line HTTP POST requests was suddenly returning a 406 Not Acceptable error which was pretty annoying.

It was because I was using a variable called type=varChar which was used to define what sort of data was being sent. Apache Mod Security was flagging this as:

[vb]
[msg "SQL Injection Attack"] [data "varchar"]
[/vb]

So I changed all occurences of varChar to vc which has now fixed the issue.

Will remember in future to never use variable names like that again.

Ajax requests with Jquery

Have you ever wanted to push some data to the page to give a better user experince and not require a reload of the page you are on.

This can be achieved very easily with jQuery.

First simply have a div allocated for the response, in this case we will use the id ‘#info’

Then you can simple apply the following code to an on click event, is this case we are using a div with the id ‘#clickHere’

[sourcecode language=”javascript”]

$(‘#clickHere’).click(function() {

$.get(“load_data.php?vars=”+someVar, function(data){

//set inner html with data response from load_data.php
$(“#info”).html(data);

});

});

[/sourcecode]

The file load_data.php can have any logic you want in it, notice how I passed a variable called ‘someVar’ to the script, this may be necessary to output dynamic data.

Whatever is echoed out in load_data.php will be shown inside the div ‘#info’

This is a very useful technique when creating streamlined user experiences.