MickeyRoush

I just remembered, you should never use the "everything atom" ".*" at the beginning or middle of a string and if it's at the end of a string it needs to be followed by an anchor "$" So this can be improved. # Cookies RewriteCond %{HTTP_COOKIE} (<|>|’|%0[AD0]|%27|%3[CE]|eval\%(25)?28|(information|table)_schema|null(\,)?|outfile|union([^a]*a)+ll([^s]*s)+elect) [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(ascii|bin|benchmark|cast|char(set)?|collation|concat(_ws)?|conv(ert)?|count)\( [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(database|decode|diff|distinct|elt|encode|encrypt|eval|extract|field|floor|format|hex|if|in(sert|str)?)\( [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(interval|lcase|le(ft|ngth)|lo(ad_file|cate|ck|g|wer)|lpad|ltrim|max|md5|mid|mod|now|null)\( [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*((passw)?ord|position|quote|rand|repeat|replace|reverse|right|rlike|row_count|rpad|rtrim)\( [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(_set|schema|sha[12]|sleep|soundex|space|strcmp|substr(_index|ing)?|sum)\( [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(time|trim|truncate|ucase|unhex|upper|(_?user)|values|varchar|version|xor)\( [NC,OR] To this: # cookies RewriteCond %{HTTP_COOKIE} (<|>|’|%0[AD0]|%27|%3[CE]|eval\%(25)?28|(information|table)_schema|null(\,)?|outfile|union([^a]*a)+ll([^s]*s)+elect) [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position)(([^/]+/)*)(select)(([^/]+/)*)(ascii|bin|benchmark|cast|char(set)?|collation|concat(_ws)?|conv(ert)?|count)\( [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position)(([^/]+/)*)(select)(([^/]+/)*)(database|decode|diff|distinct|elt|encode|encrypt|eval|extract|field|floor|format|hex|if|in(sert|str)?)\( [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position)(([^/]+/)*)(select)(([^/]+/)*)(interval|lcase|le(ft|ngth)|lo(ad_file|cate|ck|g|wer)|lpad|ltrim|max|md5|mid|mod|now|null)\( [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position)(([^/]+/)*)(select)(([^/]+/)*)((passw)?ord|position|quote|rand|repeat|replace|reverse|right|rlike|row_count|rpad|rtrim)\( [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position)(([^/]+/)*)(select)(([^/]+/)*)(_set|schema|sha[12]|sleep|soundex|space|strcmp|substr(_index|ing)?|sum)\( [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position)(([^/]+/)*)(select)(([^/]+/)*)(time|trim|truncate|ucase|unhex|upper|(_?user)||values|varchar|version|xor)\( [NC,OR] Using (([^/]+/)*) is basically the same, but is more specific and is not resource expensive.

Seems like there's a problem with that last line. Older version of Apache don't like using an underscore after a pipe. Here is the corrected version. # Cookies RewriteCond %{HTTP_COOKIE} (<|>|’|%0[AD0]|%27|%3[CE]|eval\%(25)?28|(information|table)_schema|null(\,)?|outfile|union([^a]*a)+ll([^s]*s)+elect) [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(ascii|bin|benchmark|cast|char(set)?|collation|concat(_ws)?|conv(ert)?|count)\( [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(database|decode|diff|distinct|elt|encode|encrypt|eval|extract|field|floor|format|hex|if|in(sert|str)?)\( [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(interval|lcase|le(ft|ngth)|lo(ad_file|cate|ck|g|wer)|lpad|ltrim|max|md5|mid|mod|now|null)\( [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*((passw)?ord|position|quote|rand|repeat|replace|reverse|right|rlike|row_count|rpad|rtrim)\( [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(_set|schema|sha[12]|sleep|soundex|space|strcmp|substr(_index|ing)?|sum)\( [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(time|trim|truncate|ucase|unhex|upper|(_?user)|values|varchar|version|xor)\( [NC,OR]

I was doing some research on a project and Google brought me to this thread. I was looking at your .htaccess rules and I saw a syntax error and a repeated word. This line I believe you made a syntax error. You meant to use | but you actually put } RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(conv\(|convert\(|count\(|database\(|decode\(|diff\(|distinct\(|elt\(}encode\(|encrypt\() [NC,OR] Also this word is repeated information_schema You could also eliminate the mutliple use of \( I've fixed and optimized this section for you here: Before: # cookies RewriteCond %{HTTP_COOKIE} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR] RewriteCond %{HTTP_COOKIE} (eval\%28|eval\%2528|eval\(|information_schema) [NC,OR] RewriteCond %{HTTP_COOKIE} (null\,null|outfile) [NC,OR] RewriteCond %{HTTP_COOKIE} union([^a]*a)+ll([^s]*s)+elect [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(ascii\(|bin\(|benchmark\(|cast\(|char\(|charset\(|collation\(|concat\(|concat_ws\(|table_schema) [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(conv\(|convert\(|count\(|database\(|decode\(|diff\(|distinct\(|elt\(}encode\(|encrypt\() [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(extract\(|field\(|floor\(|format\(|hex\(|if\(|in\(|information_schema|insert\(|instr\(|interval\(|lcase\() [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(left\(|length\(|load_file\(|locate\(|lock\(|log\(|lower\(|lpad\(|ltrim\(|max\(|md5\(|mid\() [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(mod\(|now\(|null\(|ord\(|password\(|position\(|quote\(|rand\(|repeat\(|replace\(|reverse\() [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(right\(|rlike\(|row_count\(|rpad\(|rtrim\(|_set\(|schema\(|sha1\(|sha2\(|sleep\(|soundex\() [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(space\(|strcmp\(|substr\(|substr_index\(|substring\(|sum\(|time\(|trim\(|truncate\(|ucase\() [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(unhex\(|upper\(|_user\(|user\(|values\(|varchar\(|version\(|xor\() [NC,OR] After: # cookies RewriteCond %{HTTP_COOKIE} (<|>|’|%0[AD0]|%27|%3[CE]|eval\%(25)?28|(information|table)_schema|null(\,)?|outfile|union([^a]*a)+ll([^s]*s)+elect) [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(ascii|bin|benchmark|cast|char(set)?|collation|concat(_ws)?|conv(ert)?|count)\( [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(database|decode|diff|distinct|elt|encode|encrypt|eval|extract|field|floor|format|hex|if|in(sert|str)?)\( [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(interval|lcase|le(ft|ngth)|lo(ad_file|cate|ck|g|wer)|lpad|ltrim|max|md5|mid|mod|now|null)\( [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*((passw)?ord|position|quote|rand|repeat|replace|reverse|right|rlike|row_count|rpad|rtrim)\( [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(_set|schema|sha[12]|sleep|soundex|space|strcmp|substr(_index|ing)?|sum)\( [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(time|trim|truncate|ucase|unhex|upper|(_)?user||values|varchar|version|xor)\( [NC,OR] A savings of 472 bytes. Sorry didn't mean to hijack your thread. :(