Yes, Kubuntuforum Announcements is restricted to Administrators.

I do understand your position, and should a better solution be presented, I'm always open to listen. That said, I believe that "the issue" should follow the "question" and not the other way round. So a Title should be the question or a statement and not the problem at hand; that can be provided in the body of the post.

Punctuation characters and where they are placed (in a Title) are what can trigger an SQL Injection presence. Concider what happens in a Konsole when you mistype and say, hit Enter after typing a [ in error.

Does the site use prepared sql statements?

Can you elaborate?

If you use prepared sql statements and parameterize the queries, sql injection is pretty much impossible.

https://www.owasp.org/index.php/SQL_...zed_Queries.29

Thank you.

Our issue wasn't "real" SQL attacks, rather how ZB Block interpreted search queries based on Post/Thread Title content that contained non-alphanumeric characters in combination and/or position that take the form of an SQL. ZB Block protects us from SQL Injection attacks, but it can (and does) identify what it believes are SQL attacks that aren't (false positives).

I have responded to members who were stopped by ZB Block when searching KFN, either logged in or externally via browser searches, when the Title searched for contained what ZB Block interpreted as SQL code (because of the presence of non-alphanumeric characters, both in type/combination and/or positioning). As an Administrator, I have also experienced this issue when trying to move/merge Posts/Threads, again, when their Titles were triggering ZB Block.

There is no perfect solution. But, this solution is manageable; IMO. That members won't be able to create a Post/Thread Title that contains an error/code string isn't a deal breaker. As stated earlier, the error/code in its entirety can always be included within the body of the post. I am not aware of any incident where code cited within the body of a post has created any issue with ZB Block.

To be clear(er), it isn't the existence of these characters in the Post/Thread Title itself; ZB Block doesn't care what is posted when a member is logged in; but what is contained in a search string. But if a search is based on a real Title, ZB Block checks the query against it's rules.

In the case of internal management of Posts/Threads by Moderators/Administrators; merging Posts/Threads say; the underlying execution of the action is via SQL; that's how vBulletin works. So again, if Post/Thread Titles contain characters that match ZB Block SQL Injection rules, ZB Block is triggered.

Thanks for the clarification

I do hope I explained myself well enough.

If this MOD results in to many complaints I can always disable it.

I'd go with Joe Friday, "Just the facts, Ma'am."
https://en.wikipedia.org/wiki/Joe_Friday
(There's always more to the story, there always is,
http://www.snopes.com/radiotv/tv/dragnet.asp ,
But it's the idea that counts: Just give me the facts.)