# Securi firewall preventing certain text strings



## Marc (Jun 26, 1999)

I'm sure this is part of their filtering, but it took me a while to find out that my post was being rejected because I had this text in it: *(think "Premiere" in YouTube terms where streaming availability merely starts at a particular time)*

This was from this post. Removing the parentheses seemed to allow me to use those words.

I wanted to mention this in case it was worthwhile to pass along to Securi.


----------



## kdmorse (Jan 29, 2001)

Block ID: SQLi71
Block reason: SQL injection was detected and blocked.

So, something in that text is triggering a pattern match to a known SQL injection. I'll play around with it to see if I can boil it down to a smaller test case, but that's purely out of curiosity. The only real answer is to adjust the post (as you did) so it doesn't trigger that block.


----------



## kdmorse (Jan 29, 2001)

The above is enough to trigger it. The word broadcast and the opening parenthesis is required to trigger it, so clearly there's a commonly abused broadcast function, that takes parameters in SQL land. I was narrowing it down further when I apparently irritated the firewall and am now sitting out a temp ban.

(At least I hope it's just a temp ban for that IP  )


----------



## kdmorse (Jan 29, 2001)

Appears to be the bare minimum to make it complain.


----------



## Marc (Jun 26, 1999)

Thanks for figuring that out, @kdmorse!

I also encountered the problem with this text below (changing the brackets to parentheses). There's no "where" inside that phrase, but "broadcast" is clearly a trigger.



> The Eurovision Song Contest is ramping up. 39 countries are competing in a live-broadcast [except for Australia's which will be broadcast from a taped live performance] contest that starts with the first of two semi-finals on Tuesday, March 18.


----------



## Rob Helmerichs (Oct 17, 2000)

Looks like "from" is another SQL term...


----------



## kdmorse (Jan 29, 2001)

"broadcast" being a trigger has been bugging me - as it's not a sql clause or function. Seeing it pop up again, the lightbulb went on, it's really only triggering on the word cast(. And that makes a lot more sense. casting a subquery to a particular datatype, or just using cast( as obfuscation seems perfectly plausible.

(And yes, select, delete, update, where, and from, are pretty much the backbones of a SQL statement)


----------



## Marc (Jun 26, 1999)

Ah, yes... CAST() is something with which I have some familiarity.


----------



## cwerdna (Feb 22, 2001)

kdmorse said:


> Block ID: SQLi71
> Block reason: SQL injection was detected and blocked.


I ran into this as well. It's super annoying. No, I'm not trying to do SQL injection attacks.


----------



## Mike Lang (Nov 17, 1999)

There should be some changes coming to help with this moving forward.


----------



## danm628 (May 14, 2002)

I had an odd event tonight. Tried to make a post with a link to a Youtube video. Two attempts from my iPad resulted in failures. Interesting Securi errors with just "error" and no number or anything else displayed. First try on my iMac worked. I tried the iMac to get info to post a report, much easier to do from a desktop system. So I'm not sure if it was a short term issue or an iPad vs desktop issue.


----------

