ModSecurity for web-application firewalls

Posted Dec 16, 2016 16:49 UTC (Fri) by smurf (subscriber, #17840)
Parent article: ModSecurity for web-application firewalls

Surnames may have spaces, non-ASCII letters, apostrophes, and whatnot. Summary: Please don't do that.

to post comments

ModSecurity for web-application firewalls

Posted Dec 17, 2016 4:50 UTC (Sat) by dune73 (guest, #17225) [Link] (2 responses)

Sure thing. It's a simple example with a simple regex.

The real world rules for free text fields are a bit more complex.

ModSecurity for web-application firewalls

Posted Dec 17, 2016 11:15 UTC (Sat) by anselm (subscriber, #2796) [Link] (1 responses)

Actually, people may not even have surnames. Fortunately the original regex takes that into account; let's hope that the actual application does, too.

ModSecurity for web-application firewalls

Posted Dec 18, 2016 4:57 UTC (Sun) by dune73 (guest, #17225) [Link]

It is tempting to do the full input validation via ModSecurity rules. But the client and the application are in a much better position to do so.

Not having a surname is a typical example. It's up to the application to decide what to do with such a registration. ModSecurity should concentrate on security and leave people without a surname alone.