The LimitRequestLine directive [17] in the Apache configuration file allows the webserver to reduce the size of an HTTP request . This includes all information passed in thequery as part of the GET request. The default value for this directive is 8190 bytes. If theSQL Injection is discovered on the GET request and our query including the arbitrary code8is larger than this value, Apache web server would response with the HTTP Status Code414 and the request would not be processed.By default, the Apache web server sets the LimitRequestBody directive to 2GB [17]. Thisis the allowed size of an HTTP request message body. If the SQL Injection is discovered ina POST request, 2GB will give us enough room to upload our arbitrary code.Web application firewalls also have the ability to terminate a long request. This longrequest is normally detected as a buffer overflow attack.
