I was taking a look at some projects on the internet that involve security and I came across the following code.
All requests to the site were redirected to index.php
by mod_rewrite
, database connection was done with PDO, using prepared statements , everything was in the standard, a look at the index and I come across this code
/** O projeto permite somente slugs com 250 caracteres **/
if (isset($_GET['params']) && (strlen($_GET['params']) > 250))
{
header('HTTP/1.0 403 Forbidden');
die('<b>O endereço atual excede os limites de segurança</b>');
}
I thought it was strange and I decided to download it to check it out.
I used sqlmap to run some tests and it did not work. I took that line that I posted above and did the tests again, it basically did not change anything, except in the Apache logs that I could see that the sqlmap strings were "passing", rather than being "barred" by the script and generating 403 errors.
To secure the application and save server resources, the code above is a precautionary or unnecessary measure?