Is it possible to detect 100% of SQLi with a simple regex?Getting a SQL injection past a given regexWhich...
Why didn't Lorentz conclude that no object can go faster than light?
Face Value of SOFR futures
What happens if you declare more than $10,000 at the US border?
What dissuades people from lying about where they live in order to reduce state income taxes?
Define function that behaves almost identically to Mathematica function
Which was the first story to feature space elevators?
Identical projects by students at two different colleges: still plagiarism?
Coworker is trying to get me to sign his petition to run for office. How to decline politely?
How can I differentiate duration vs starting time
Where can I educate myself on D&D universe lore, specifically on vampires and supernatural monsters?
put country dropdown in phtml file in magento2
How can changes in personality/values of a person who turned into a vampire be explained?
The Late Queen Gives in to Remorse - Reverse Hangman
Is layered encryption more secure than long passwords?
Is it ethical to apply for a job on someone's behalf?
Can a planet be tidally unlocked?
What caused Doctor Strange to repent of his selfishness and become Earth's protector?
How to encircle section of matrix in LaTeX?
Exploding Numbers
Why Third 'Reich'? Why is 'reich' not translated when 'third' is? What is the English synonym of reich?
Can I legally make a website about boycotting a certain company?
How do I write a maintainable, fast, compile-time bit-mask in C++?
How do I know my password or backup information is not being shared when creating a new wallet?
How to scroll to next div using Javascript?
Is it possible to detect 100% of SQLi with a simple regex?
Getting a SQL injection past a given regexWhich enterprise-class DBMS allow forbiddance of (No)SQL comments?Faster SQL injection preventionBeyond SQL injections and XSSDatabase table name prefixes and security by obscurityHow bad is allow edit a database field containing an sql from a form?Validate database column and table names to prevent SQLi?Is the hosting OS safe to sql injection hackers by hiding admin ID?SQLi with quote filter?Is single quote filtering nonsense?
I'm wondering if it is possible to detect 100% of the possible SQLi attacks using a simple regex.
In other words, using very simple PHP code as an example:
if (preg_match("/select/i", $input)) {
attack_log("Possible SELECT SQLi detected.")
}
The questions are:
- Will that regex catch all possible SQLi attacks that use SELECT? If not, is it possible to change that regex so that it is going to detect all injections that rely on SELECT?
- Is it possible to change that regex to so that it will catch all possible SQLi, so not only SELECT statements but also all the rest? I'm afraid that to achieve this I would need to add every possible SQL keyword to the regex, including "AND" and "OR".
- Supposing it's not possible or feasible to detect all SQLi by trying to match all the possible SQL keywords, is there a limited subset of keywords that would allow me to detect the vast majority of possible attacks?
sql-injection ids detection regex
asked yesterday
reedreed
2,7192724
|
show 8 more comments
I'm wondering if it is possible to detect 100% of the possible SQLi attacks using a simple regex.
In other words, using very simple PHP code as an example:
if (preg_match("/select/i", $input)) {
attack_log("Possible SELECT SQLi detected.")
}
The questions are:
- Will that regex catch all possible SQLi attacks that use SELECT? If not, is it possible to change that regex so that it is going to detect all injections that rely on SELECT?
- Is it possible to change that regex to so that it will catch all possible SQLi, so not only SELECT statements but also all the rest? I'm afraid that to achieve this I would need to add every possible SQL keyword to the regex, including "AND" and "OR".
- Supposing it's not possible or feasible to detect all SQLi by trying to match all the possible SQL keywords, is there a limited subset of keywords that would allow me to detect the vast majority of possible attacks?
sql-injection ids detection regex
asked yesterday
reedreed
2,7192724
4
@reed The problem is that StackExchange isn't an open forum for discussing ideas. It's a Q&A site with restrictions on the types of questions that can be asked, in order to promote content that is useful to both those asking the questions and future readers. Questions like this, where the goal (intended or otherwise) is to ruminate over ideas rather than get a single concrete answer, aren't considered to be on-topic here. Since any correct answer would need to start with "don't do this, use parameters instead" it doesn't seem like there's much value that can come of it.
– Polynomial
yesterday
5
I was sure there was a duplicate that I could point you towards, but I never found one. There should be one.
– schroeder♦
yesterday
13
@reed Imagine the frustration of your pour users being frustrated they can't submit a post/comment/biography/whatever saying "I recommend you select the best tool for the job." ;)
– marcelm
yesterday
6
If you're okay with some false positives, then this one will always catch all SQL injection:.*
– Duncan X Simpson
17 hours ago
4
You don't even need a regex, justreturn true. Pretty high false-positive rate though.
– Kevin
12 hours ago
|
show 8 more comments
I'm wondering if it is possible to detect 100% of the possible SQLi attacks using a simple regex.
In other words, using very simple PHP code as an example:
if (preg_match("/select/i", $input)) {
attack_log("Possible SELECT SQLi detected.")
}
The questions are:
- Will that regex catch all possible SQLi attacks that use SELECT? If not, is it possible to change that regex so that it is going to detect all injections that rely on SELECT?
- Is it possible to change that regex to so that it will catch all possible SQLi, so not only SELECT statements but also all the rest? I'm afraid that to achieve this I would need to add every possible SQL keyword to the regex, including "AND" and "OR".
- Supposing it's not possible or feasible to detect all SQLi by trying to match all the possible SQL keywords, is there a limited subset of keywords that would allow me to detect the vast majority of possible attacks?
sql-injection ids detection regex
asked yesterday
reedreed
2,7192724
I'm wondering if it is possible to detect 100% of the possible SQLi attacks using a simple regex.
In other words, using very simple PHP code as an example:
if (preg_match("/select/i", $input)) {
attack_log("Possible SELECT SQLi detected.")
}
The questions are:
- Will that regex catch all possible SQLi attacks that use SELECT? If not, is it possible to change that regex so that it is going to detect all injections that rely on SELECT?
- Is it possible to change that regex to so that it will catch all possible SQLi, so not only SELECT statements but also all the rest? I'm afraid that to achieve this I would need to add every possible SQL keyword to the regex, including "AND" and "OR".
- Supposing it's not possible or feasible to detect all SQLi by trying to match all the possible SQL keywords, is there a limited subset of keywords that would allow me to detect the vast majority of possible attacks?
sql-injection ids detection regex
sql-injection ids detection regex
asked yesterday
reedreed
2,7192724
asked yesterday
reedreed
2,7192724
edited yesterday
reed
asked yesterday
reedreed
2,7192724
asked yesterday
reedreed
2,7192724
asked yesterday
reedreed
2,7192724
2,7192724
4
@reed The problem is that StackExchange isn't an open forum for discussing ideas. It's a Q&A site with restrictions on the types of questions that can be asked, in order to promote content that is useful to both those asking the questions and future readers. Questions like this, where the goal (intended or otherwise) is to ruminate over ideas rather than get a single concrete answer, aren't considered to be on-topic here. Since any correct answer would need to start with "don't do this, use parameters instead" it doesn't seem like there's much value that can come of it.
– Polynomial
yesterday
5
I was sure there was a duplicate that I could point you towards, but I never found one. There should be one.
– schroeder♦
yesterday
13
@reed Imagine the frustration of your pour users being frustrated they can't submit a post/comment/biography/whatever saying "I recommend you select the best tool for the job." ;)
– marcelm
yesterday
6
If you're okay with some false positives, then this one will always catch all SQL injection:.*
– Duncan X Simpson
17 hours ago
4
You don't even need a regex, justreturn true. Pretty high false-positive rate though.
– Kevin
12 hours ago
|
show 8 more comments
4
@reed The problem is that StackExchange isn't an open forum for discussing ideas. It's a Q&A site with restrictions on the types of questions that can be asked, in order to promote content that is useful to both those asking the questions and future readers. Questions like this, where the goal (intended or otherwise) is to ruminate over ideas rather than get a single concrete answer, aren't considered to be on-topic here. Since any correct answer would need to start with "don't do this, use parameters instead" it doesn't seem like there's much value that can come of it.
– Polynomial
yesterday
5
I was sure there was a duplicate that I could point you towards, but I never found one. There should be one.
– schroeder♦
yesterday
13
@reed Imagine the frustration of your pour users being frustrated they can't submit a post/comment/biography/whatever saying "I recommend you select the best tool for the job." ;)
– marcelm
yesterday
6
If you're okay with some false positives, then this one will always catch all SQL injection:.*
– Duncan X Simpson
17 hours ago
4
You don't even need a regex, justreturn true. Pretty high false-positive rate though.
– Kevin
12 hours ago
4
4
@reed The problem is that StackExchange isn't an open forum for discussing ideas. It's a Q&A site with restrictions on the types of questions that can be asked, in order to promote content that is useful to both those asking the questions and future readers. Questions like this, where the goal (intended or otherwise) is to ruminate over ideas rather than get a single concrete answer, aren't considered to be on-topic here. Since any correct answer would need to start with "don't do this, use parameters instead" it doesn't seem like there's much value that can come of it.
– Polynomial
yesterday
@reed The problem is that StackExchange isn't an open forum for discussing ideas. It's a Q&A site with restrictions on the types of questions that can be asked, in order to promote content that is useful to both those asking the questions and future readers. Questions like this, where the goal (intended or otherwise) is to ruminate over ideas rather than get a single concrete answer, aren't considered to be on-topic here. Since any correct answer would need to start with "don't do this, use parameters instead" it doesn't seem like there's much value that can come of it.
– Polynomial
yesterday
5
5
I was sure there was a duplicate that I could point you towards, but I never found one. There should be one.
– schroeder♦
yesterday
I was sure there was a duplicate that I could point you towards, but I never found one. There should be one.
– schroeder♦
yesterday
13
13
@reed Imagine the frustration of your pour users being frustrated they can't submit a post/comment/biography/whatever saying "I recommend you select the best tool for the job." ;)
– marcelm
yesterday
@reed Imagine the frustration of your pour users being frustrated they can't submit a post/comment/biography/whatever saying "I recommend you select the best tool for the job." ;)
– marcelm
yesterday
6
6
If you're okay with some false positives, then this one will always catch all SQL injection:
.*– Duncan X Simpson
17 hours ago
If you're okay with some false positives, then this one will always catch all SQL injection:
.*– Duncan X Simpson
17 hours ago
4
4
You don't even need a regex, just
return true. Pretty high false-positive rate though.– Kevin
12 hours ago
You don't even need a regex, just
return true. Pretty high false-positive rate though.– Kevin
12 hours ago
|
show 8 more comments
5 Answers
5
active
oldest
votes
Keyword filtering for SQLi is not a good technique. There are too many ways to bypass it.
Crazy things like sel/**/ect might work, for instance. Or playing games with substr(). And then there's EXEC('SEL' + 'ECT 1').
There are many guides on how to bypass common filtering techniques.
But then you might ask if there is a superset of things to filter for (like select and /**/ and substr and EXEC), but then the list gets very, very long, and you still might not get a comprehensive list.
The better approach is to understand the range of acceptable inputs and protect those or to make it ineffective to use SQLi through proper design.
answered yesterday
schroeder♦schroeder
76.3k29170206
1
I guess this is exactly the kind of answer I needed, and that link is especially helpful to understand how complex all this can get. Thanks.
– reed
yesterday
37
Not to mention the false positive rate. The more things in your list, the more likely you'll match something in the query data - name, user name, email address, etc. Imagine if someone tried to register as bob@executiveselect.com or something along those lines.
– alex.forencich
yesterday
9
@alex.forencich And sometimes the set of valid data may overlap with the set of malicious inputs. xkcd.com/327
– JAB
yesterday
3
"proper design" It would greatly improve the answer to mention what that proper design is, the parameterized queries part in particular.
– jpmc26
yesterday
4
@Nelson All that of "published material" mostly boils down to, "Use parameterized queries for any value that can't be hard coded directly into the query text, especially user input." (Literally. The only thing beyond this is the question of what to do if you need to have some kind of dynamic value for an identifier, and that isn't necessary in the vast majority of cases.) No harm would come from including a brief summary of that nature. It's really not as big a topic as you seem to think.
– jpmc26
yesterday
|
show 5 more comments
NO
Since every SQL injection is (by definition) valid SQL and since SQL is a context-free language (source), there is (again, by definition) no regex capable of matching an SQL injection, and trying to do so would probably give result similar to this.
As said by pretty much every comment, use the right tool for the job. In this case it's a prepared statement.
edited yesterday
Joel Coehoorn
1,3571912
answered yesterday
SefaSefa
1,108314
11
To be pedantic, this means that a regex that matches only SQL injections (and all of them) is impossible, which is true but not of much value - if it were ever to exist, a solution that also matched invalid SQL would be okay, which reopens the question. This is of course only a theoretical nitpick, in practice regexes are not the right tool or approach for the job.
– Giulio Muscarello
yesterday
2
Another theoretical nitpick is that modern regexes are strictly more powerful than the original definition of "regular expression", due to lookarounds and backreferences and such. I wouldn't be surprised if more modern regexes are even Turing complete.
– Pedro A
yesterday
9
That is does not follow. Every string of 1s is a valid mathematical expression, and mathematical expressions are a context-free language, but that doesn't mean I can't write a regex to match strings of 1s.
– immibis
yesterday
Thats not correct, to detect SQLi you do not detect valid SQL syntax, you just need to detect quote busting constructs. (However it is still a very brittle approach)
– eckes
yesterday
1
@GiulioMuscarello /.*/ matches all valid SQL (and also some invalid SQL), but would presumably not be ok :)
– mbrig
13 hours ago
|
show 1 more comment
Technically, this is completely possible (though doing so also renders the database useless):
.+Will indeed detect any possible SQLi.
However, it will also detect any attempt to do normal queries(or any text at all), rendering the database completely useless.
You could equally say that turning the database off protects from SQLi. It's true, but it also renders the database useless for it's intended purpose.
Use prepared statements or parameterized queries. They exist to solve this issue.
answered yesterday
Fake NameFake Name
4471311
9
Technically correct is the best kind of correct.. but not in this scenario :P
– Dan Pantry
yesterday
14
@DanPantry - Nothing in the question specified that it had to allow anything.
– Fake Name
yesterday
2
This should maybe have been a comment instead of an answer, but it has a good point within it. Instead of focusing on how to block all attacks, OP should focus on what legitimate strings need to be allowed.
– Nate Eldredge
yesterday
1
This answer could be improved by mentioning how even the "select" regexp will cause a lot of false matches, for any text containing the word 'select'.
– jpa
22 hours ago
1
@FakeName please see the question's edit history. False positives were originally not a concern but became a concern after much discussion in the comments.
– schroeder♦
22 hours ago
|
show 5 more comments
No. First of all, there are several evil things you can do with SQL injections which don't require the use of the SELECT keyword, like the infamous universal password ' OR '1' = '1 or the common username Robert'); DROP TABLE Students;--. Also, "select" is a very common word in the English language which might appear in completely benign ways in all kinds of different contexts. So if you filter any input which matches /select/i you are going to get a ton of false positives (16 false positives and counting just on the website your are reading right now, for example).
If you want to sanitize inputs before sending data to your database, then PHP has a handy function for that purpose (these are those for mySQL, any other database APIs should provide a similar function tailored for that specific database syntax).
But when you are trying to protect yourself against SQL Injections by blocking certain inputs, then you are fighting the battle at the wrong frontline. It would be much smarter to defend yourself against SQL injections by stopping to create SQL statements by string concatenation. Common alternative ways to interact with databases in a way which makes SQL injections difficult to write unintentionally are:
- Use an ORM wrapper which writes SQL queries for you
- Use parameterized queries (also known as prepared statements)
- Use a programming language where SQL is part of the language syntax
- Use stored procedures
answered 19 hours ago
PhilippPhilipp
44.2k7112139
add a comment |
No. A regexp implementation is typically a regular language (or an extension thereof that allows parsing of some non-regular grammars.)
SQL on the other hand, it is firmly a non-regular context free language. Ergo, it cannot be parsed by a regular-language regexp.
If you were to use a regexp extension that uses grouping, you might be able to parse valid SQL, but also invalid SQL or things that might look like SQL but aren't.
The best thing to be sure is to use a context-free grammar that expresses the SQL dialect you are looking for, if you really were keen to detect a SQL injection attack.
ps. My personal opinion is that one of the best ways to avoid or minimize sql injection attacks is to never invoke plain SQL from the application (relying instead on stored procedures, which themselves sanitize their arguments.)
A lot more elbow grease, and not necessarily 100% iron-clad injection-proof. But it does work very well. Caveat emptor obviously, for other developers might have different experiences with such an approach.
answered 22 hours ago
luis.espinalluis.espinal
1094
New contributor
luis.espinal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
SQL is a "non-regular context free language". That's going to need some explanation because that appears false on its face.
– schroeder♦
21 hours ago
Uh, no. For starters, SQL has been described multiple times in BNF, ergo, it is a context-free language. Here's an example: docs.oracle.com/cd/B28359_01/server.111/b28286/ap_syntx002.htm
– luis.espinal
21 hours ago
Additionally, SQL is neither a right regular grammar nor a left regular grammar. In fact, there's no regular grammar than can captureSELECT x from ywhere eitherxoryare SQL SELECT statements themselves.
– luis.espinal
21 hours ago
1
You appear to be jumping ahead in some concepts. How do we get to "context-free" from "can be described in BNF"? I think you are bringing in volumes of other concepts without explaining them (or assuming they are true). While I am not trying to assert something else to be true, it is not clear from your answer how your assertions are true. Can you connect some dots?
– schroeder♦
21 hours ago
3
Big difference between being right and being useful. This answer is not useful without the reader delving into several computer science concepts to begin to understand the point you are making. I'm asking you to edit the answer to connect some dots to make this answer more useful.
– schroeder♦
19 hours ago
|
show 5 more comments
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f203843%2fis-it-possible-to-detect-100-of-sqli-with-a-simple-regex%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
5 Answers
5
active
oldest
votes
5 Answers
5
active
oldest
votes
active
oldest
votes
active
oldest
votes
Keyword filtering for SQLi is not a good technique. There are too many ways to bypass it.
Crazy things like sel/**/ect might work, for instance. Or playing games with substr(). And then there's EXEC('SEL' + 'ECT 1').
There are many guides on how to bypass common filtering techniques.
But then you might ask if there is a superset of things to filter for (like select and /**/ and substr and EXEC), but then the list gets very, very long, and you still might not get a comprehensive list.
The better approach is to understand the range of acceptable inputs and protect those or to make it ineffective to use SQLi through proper design.
answered yesterday
schroeder♦schroeder
76.3k29170206
1
I guess this is exactly the kind of answer I needed, and that link is especially helpful to understand how complex all this can get. Thanks.
– reed
yesterday
37
Not to mention the false positive rate. The more things in your list, the more likely you'll match something in the query data - name, user name, email address, etc. Imagine if someone tried to register as bob@executiveselect.com or something along those lines.
– alex.forencich
yesterday
9
@alex.forencich And sometimes the set of valid data may overlap with the set of malicious inputs. xkcd.com/327
– JAB
yesterday
3
"proper design" It would greatly improve the answer to mention what that proper design is, the parameterized queries part in particular.
– jpmc26
yesterday
4
@Nelson All that of "published material" mostly boils down to, "Use parameterized queries for any value that can't be hard coded directly into the query text, especially user input." (Literally. The only thing beyond this is the question of what to do if you need to have some kind of dynamic value for an identifier, and that isn't necessary in the vast majority of cases.) No harm would come from including a brief summary of that nature. It's really not as big a topic as you seem to think.
– jpmc26
yesterday
|
show 5 more comments
Keyword filtering for SQLi is not a good technique. There are too many ways to bypass it.
Crazy things like sel/**/ect might work, for instance. Or playing games with substr(). And then there's EXEC('SEL' + 'ECT 1').
There are many guides on how to bypass common filtering techniques.
But then you might ask if there is a superset of things to filter for (like select and /**/ and substr and EXEC), but then the list gets very, very long, and you still might not get a comprehensive list.
The better approach is to understand the range of acceptable inputs and protect those or to make it ineffective to use SQLi through proper design.
answered yesterday
schroeder♦schroeder
76.3k29170206
1
I guess this is exactly the kind of answer I needed, and that link is especially helpful to understand how complex all this can get. Thanks.
– reed
yesterday
37
Not to mention the false positive rate. The more things in your list, the more likely you'll match something in the query data - name, user name, email address, etc. Imagine if someone tried to register as bob@executiveselect.com or something along those lines.
– alex.forencich
yesterday
9
@alex.forencich And sometimes the set of valid data may overlap with the set of malicious inputs. xkcd.com/327
– JAB
yesterday
3
"proper design" It would greatly improve the answer to mention what that proper design is, the parameterized queries part in particular.
– jpmc26
yesterday
4
@Nelson All that of "published material" mostly boils down to, "Use parameterized queries for any value that can't be hard coded directly into the query text, especially user input." (Literally. The only thing beyond this is the question of what to do if you need to have some kind of dynamic value for an identifier, and that isn't necessary in the vast majority of cases.) No harm would come from including a brief summary of that nature. It's really not as big a topic as you seem to think.
– jpmc26
yesterday
|
show 5 more comments
Keyword filtering for SQLi is not a good technique. There are too many ways to bypass it.
Crazy things like sel/**/ect might work, for instance. Or playing games with substr(). And then there's EXEC('SEL' + 'ECT 1').
There are many guides on how to bypass common filtering techniques.
But then you might ask if there is a superset of things to filter for (like select and /**/ and substr and EXEC), but then the list gets very, very long, and you still might not get a comprehensive list.
The better approach is to understand the range of acceptable inputs and protect those or to make it ineffective to use SQLi through proper design.
answered yesterday
schroeder♦schroeder
76.3k29170206
Keyword filtering for SQLi is not a good technique. There are too many ways to bypass it.
Crazy things like sel/**/ect might work, for instance. Or playing games with substr(). And then there's EXEC('SEL' + 'ECT 1').
There are many guides on how to bypass common filtering techniques.
But then you might ask if there is a superset of things to filter for (like select and /**/ and substr and EXEC), but then the list gets very, very long, and you still might not get a comprehensive list.
The better approach is to understand the range of acceptable inputs and protect those or to make it ineffective to use SQLi through proper design.
answered yesterday
schroeder♦schroeder
76.3k29170206
answered yesterday
schroeder♦schroeder
76.3k29170206
answered yesterday
schroeder♦schroeder
76.3k29170206
answered yesterday
schroeder♦schroeder
76.3k29170206
76.3k29170206
1
I guess this is exactly the kind of answer I needed, and that link is especially helpful to understand how complex all this can get. Thanks.
– reed
yesterday
37
Not to mention the false positive rate. The more things in your list, the more likely you'll match something in the query data - name, user name, email address, etc. Imagine if someone tried to register as bob@executiveselect.com or something along those lines.
– alex.forencich
yesterday
9
@alex.forencich And sometimes the set of valid data may overlap with the set of malicious inputs. xkcd.com/327
– JAB
yesterday
3
"proper design" It would greatly improve the answer to mention what that proper design is, the parameterized queries part in particular.
– jpmc26
yesterday
4
@Nelson All that of "published material" mostly boils down to, "Use parameterized queries for any value that can't be hard coded directly into the query text, especially user input." (Literally. The only thing beyond this is the question of what to do if you need to have some kind of dynamic value for an identifier, and that isn't necessary in the vast majority of cases.) No harm would come from including a brief summary of that nature. It's really not as big a topic as you seem to think.
– jpmc26
yesterday
|
show 5 more comments
1
I guess this is exactly the kind of answer I needed, and that link is especially helpful to understand how complex all this can get. Thanks.
– reed
yesterday
37
Not to mention the false positive rate. The more things in your list, the more likely you'll match something in the query data - name, user name, email address, etc. Imagine if someone tried to register as bob@executiveselect.com or something along those lines.
– alex.forencich
yesterday
9
@alex.forencich And sometimes the set of valid data may overlap with the set of malicious inputs. xkcd.com/327
– JAB
yesterday
3
"proper design" It would greatly improve the answer to mention what that proper design is, the parameterized queries part in particular.
– jpmc26
yesterday
4
@Nelson All that of "published material" mostly boils down to, "Use parameterized queries for any value that can't be hard coded directly into the query text, especially user input." (Literally. The only thing beyond this is the question of what to do if you need to have some kind of dynamic value for an identifier, and that isn't necessary in the vast majority of cases.) No harm would come from including a brief summary of that nature. It's really not as big a topic as you seem to think.
– jpmc26
yesterday
1
1
I guess this is exactly the kind of answer I needed, and that link is especially helpful to understand how complex all this can get. Thanks.
– reed
yesterday
I guess this is exactly the kind of answer I needed, and that link is especially helpful to understand how complex all this can get. Thanks.
– reed
yesterday
37
37
Not to mention the false positive rate. The more things in your list, the more likely you'll match something in the query data - name, user name, email address, etc. Imagine if someone tried to register as bob@executiveselect.com or something along those lines.
– alex.forencich
yesterday
Not to mention the false positive rate. The more things in your list, the more likely you'll match something in the query data - name, user name, email address, etc. Imagine if someone tried to register as bob@executiveselect.com or something along those lines.
– alex.forencich
yesterday
9
9
@alex.forencich And sometimes the set of valid data may overlap with the set of malicious inputs. xkcd.com/327
– JAB
yesterday
@alex.forencich And sometimes the set of valid data may overlap with the set of malicious inputs. xkcd.com/327
– JAB
yesterday
3
3
"proper design" It would greatly improve the answer to mention what that proper design is, the parameterized queries part in particular.
– jpmc26
yesterday
"proper design" It would greatly improve the answer to mention what that proper design is, the parameterized queries part in particular.
– jpmc26
yesterday
4
4
@Nelson All that of "published material" mostly boils down to, "Use parameterized queries for any value that can't be hard coded directly into the query text, especially user input." (Literally. The only thing beyond this is the question of what to do if you need to have some kind of dynamic value for an identifier, and that isn't necessary in the vast majority of cases.) No harm would come from including a brief summary of that nature. It's really not as big a topic as you seem to think.
– jpmc26
yesterday
@Nelson All that of "published material" mostly boils down to, "Use parameterized queries for any value that can't be hard coded directly into the query text, especially user input." (Literally. The only thing beyond this is the question of what to do if you need to have some kind of dynamic value for an identifier, and that isn't necessary in the vast majority of cases.) No harm would come from including a brief summary of that nature. It's really not as big a topic as you seem to think.
– jpmc26
yesterday
|
show 5 more comments
NO
Since every SQL injection is (by definition) valid SQL and since SQL is a context-free language (source), there is (again, by definition) no regex capable of matching an SQL injection, and trying to do so would probably give result similar to this.
As said by pretty much every comment, use the right tool for the job. In this case it's a prepared statement.
edited yesterday
Joel Coehoorn
1,3571912
answered yesterday
SefaSefa
1,108314
11
To be pedantic, this means that a regex that matches only SQL injections (and all of them) is impossible, which is true but not of much value - if it were ever to exist, a solution that also matched invalid SQL would be okay, which reopens the question. This is of course only a theoretical nitpick, in practice regexes are not the right tool or approach for the job.
– Giulio Muscarello
yesterday
2
Another theoretical nitpick is that modern regexes are strictly more powerful than the original definition of "regular expression", due to lookarounds and backreferences and such. I wouldn't be surprised if more modern regexes are even Turing complete.
– Pedro A
yesterday
9
That is does not follow. Every string of 1s is a valid mathematical expression, and mathematical expressions are a context-free language, but that doesn't mean I can't write a regex to match strings of 1s.
– immibis
yesterday
Thats not correct, to detect SQLi you do not detect valid SQL syntax, you just need to detect quote busting constructs. (However it is still a very brittle approach)
– eckes
yesterday
1
@GiulioMuscarello /.*/ matches all valid SQL (and also some invalid SQL), but would presumably not be ok :)
– mbrig
13 hours ago
|
show 1 more comment
NO
Since every SQL injection is (by definition) valid SQL and since SQL is a context-free language (source), there is (again, by definition) no regex capable of matching an SQL injection, and trying to do so would probably give result similar to this.
As said by pretty much every comment, use the right tool for the job. In this case it's a prepared statement.
edited yesterday
Joel Coehoorn
1,3571912
answered yesterday
SefaSefa
1,108314
11
To be pedantic, this means that a regex that matches only SQL injections (and all of them) is impossible, which is true but not of much value - if it were ever to exist, a solution that also matched invalid SQL would be okay, which reopens the question. This is of course only a theoretical nitpick, in practice regexes are not the right tool or approach for the job.
– Giulio Muscarello
yesterday
2
Another theoretical nitpick is that modern regexes are strictly more powerful than the original definition of "regular expression", due to lookarounds and backreferences and such. I wouldn't be surprised if more modern regexes are even Turing complete.
– Pedro A
yesterday
9
That is does not follow. Every string of 1s is a valid mathematical expression, and mathematical expressions are a context-free language, but that doesn't mean I can't write a regex to match strings of 1s.
– immibis
yesterday
Thats not correct, to detect SQLi you do not detect valid SQL syntax, you just need to detect quote busting constructs. (However it is still a very brittle approach)
– eckes
yesterday
1
@GiulioMuscarello /.*/ matches all valid SQL (and also some invalid SQL), but would presumably not be ok :)
– mbrig
13 hours ago
|
show 1 more comment
NO
Since every SQL injection is (by definition) valid SQL and since SQL is a context-free language (source), there is (again, by definition) no regex capable of matching an SQL injection, and trying to do so would probably give result similar to this.
As said by pretty much every comment, use the right tool for the job. In this case it's a prepared statement.
edited yesterday
Joel Coehoorn
1,3571912
answered yesterday
SefaSefa
1,108314
NO
Since every SQL injection is (by definition) valid SQL and since SQL is a context-free language (source), there is (again, by definition) no regex capable of matching an SQL injection, and trying to do so would probably give result similar to this.
As said by pretty much every comment, use the right tool for the job. In this case it's a prepared statement.
edited yesterday
Joel Coehoorn
1,3571912
answered yesterday
SefaSefa
1,108314
edited yesterday
Joel Coehoorn
1,3571912
edited yesterday
Joel Coehoorn
1,3571912
edited yesterday
Joel Coehoorn
1,3571912
1,3571912
answered yesterday
SefaSefa
1,108314
answered yesterday
SefaSefa
1,108314
answered yesterday
SefaSefa
1,108314
1,108314
11
To be pedantic, this means that a regex that matches only SQL injections (and all of them) is impossible, which is true but not of much value - if it were ever to exist, a solution that also matched invalid SQL would be okay, which reopens the question. This is of course only a theoretical nitpick, in practice regexes are not the right tool or approach for the job.
– Giulio Muscarello
yesterday
2
Another theoretical nitpick is that modern regexes are strictly more powerful than the original definition of "regular expression", due to lookarounds and backreferences and such. I wouldn't be surprised if more modern regexes are even Turing complete.
– Pedro A
yesterday
9
That is does not follow. Every string of 1s is a valid mathematical expression, and mathematical expressions are a context-free language, but that doesn't mean I can't write a regex to match strings of 1s.
– immibis
yesterday
Thats not correct, to detect SQLi you do not detect valid SQL syntax, you just need to detect quote busting constructs. (However it is still a very brittle approach)
– eckes
yesterday
1
@GiulioMuscarello /.*/ matches all valid SQL (and also some invalid SQL), but would presumably not be ok :)
– mbrig
13 hours ago
|
show 1 more comment
11
To be pedantic, this means that a regex that matches only SQL injections (and all of them) is impossible, which is true but not of much value - if it were ever to exist, a solution that also matched invalid SQL would be okay, which reopens the question. This is of course only a theoretical nitpick, in practice regexes are not the right tool or approach for the job.
– Giulio Muscarello
yesterday
2
Another theoretical nitpick is that modern regexes are strictly more powerful than the original definition of "regular expression", due to lookarounds and backreferences and such. I wouldn't be surprised if more modern regexes are even Turing complete.
– Pedro A
yesterday
9
That is does not follow. Every string of 1s is a valid mathematical expression, and mathematical expressions are a context-free language, but that doesn't mean I can't write a regex to match strings of 1s.
– immibis
yesterday
Thats not correct, to detect SQLi you do not detect valid SQL syntax, you just need to detect quote busting constructs. (However it is still a very brittle approach)
– eckes
yesterday
1
@GiulioMuscarello /.*/ matches all valid SQL (and also some invalid SQL), but would presumably not be ok :)
– mbrig
13 hours ago
11
11
To be pedantic, this means that a regex that matches only SQL injections (and all of them) is impossible, which is true but not of much value - if it were ever to exist, a solution that also matched invalid SQL would be okay, which reopens the question. This is of course only a theoretical nitpick, in practice regexes are not the right tool or approach for the job.
– Giulio Muscarello
yesterday
To be pedantic, this means that a regex that matches only SQL injections (and all of them) is impossible, which is true but not of much value - if it were ever to exist, a solution that also matched invalid SQL would be okay, which reopens the question. This is of course only a theoretical nitpick, in practice regexes are not the right tool or approach for the job.
– Giulio Muscarello
yesterday
2
2
Another theoretical nitpick is that modern regexes are strictly more powerful than the original definition of "regular expression", due to lookarounds and backreferences and such. I wouldn't be surprised if more modern regexes are even Turing complete.
– Pedro A
yesterday
Another theoretical nitpick is that modern regexes are strictly more powerful than the original definition of "regular expression", due to lookarounds and backreferences and such. I wouldn't be surprised if more modern regexes are even Turing complete.
– Pedro A
yesterday
9
9
That is does not follow. Every string of 1s is a valid mathematical expression, and mathematical expressions are a context-free language, but that doesn't mean I can't write a regex to match strings of 1s.
– immibis
yesterday
That is does not follow. Every string of 1s is a valid mathematical expression, and mathematical expressions are a context-free language, but that doesn't mean I can't write a regex to match strings of 1s.
– immibis
yesterday
Thats not correct, to detect SQLi you do not detect valid SQL syntax, you just need to detect quote busting constructs. (However it is still a very brittle approach)
– eckes
yesterday
Thats not correct, to detect SQLi you do not detect valid SQL syntax, you just need to detect quote busting constructs. (However it is still a very brittle approach)
– eckes
yesterday
1
1
@GiulioMuscarello /.*/ matches all valid SQL (and also some invalid SQL), but would presumably not be ok :)
– mbrig
13 hours ago
@GiulioMuscarello /.*/ matches all valid SQL (and also some invalid SQL), but would presumably not be ok :)
– mbrig
13 hours ago
|
show 1 more comment
Technically, this is completely possible (though doing so also renders the database useless):
.+Will indeed detect any possible SQLi.
However, it will also detect any attempt to do normal queries(or any text at all), rendering the database completely useless.
You could equally say that turning the database off protects from SQLi. It's true, but it also renders the database useless for it's intended purpose.
Use prepared statements or parameterized queries. They exist to solve this issue.
answered yesterday
Fake NameFake Name
4471311
9
Technically correct is the best kind of correct.. but not in this scenario :P
– Dan Pantry
yesterday
14
@DanPantry - Nothing in the question specified that it had to allow anything.
– Fake Name
yesterday
2
This should maybe have been a comment instead of an answer, but it has a good point within it. Instead of focusing on how to block all attacks, OP should focus on what legitimate strings need to be allowed.
– Nate Eldredge
yesterday
1
This answer could be improved by mentioning how even the "select" regexp will cause a lot of false matches, for any text containing the word 'select'.
– jpa
22 hours ago
1
@FakeName please see the question's edit history. False positives were originally not a concern but became a concern after much discussion in the comments.
– schroeder♦
22 hours ago
|
show 5 more comments
Technically, this is completely possible (though doing so also renders the database useless):
.+Will indeed detect any possible SQLi.
However, it will also detect any attempt to do normal queries(or any text at all), rendering the database completely useless.
You could equally say that turning the database off protects from SQLi. It's true, but it also renders the database useless for it's intended purpose.
Use prepared statements or parameterized queries. They exist to solve this issue.
answered yesterday
Fake NameFake Name
4471311
9
Technically correct is the best kind of correct.. but not in this scenario :P
– Dan Pantry
yesterday
14
@DanPantry - Nothing in the question specified that it had to allow anything.
– Fake Name
yesterday
2
This should maybe have been a comment instead of an answer, but it has a good point within it. Instead of focusing on how to block all attacks, OP should focus on what legitimate strings need to be allowed.
– Nate Eldredge
yesterday
1
This answer could be improved by mentioning how even the "select" regexp will cause a lot of false matches, for any text containing the word 'select'.
– jpa
22 hours ago
1
@FakeName please see the question's edit history. False positives were originally not a concern but became a concern after much discussion in the comments.
– schroeder♦
22 hours ago
|
show 5 more comments
Technically, this is completely possible (though doing so also renders the database useless):
.+Will indeed detect any possible SQLi.
However, it will also detect any attempt to do normal queries(or any text at all), rendering the database completely useless.
You could equally say that turning the database off protects from SQLi. It's true, but it also renders the database useless for it's intended purpose.
Use prepared statements or parameterized queries. They exist to solve this issue.
answered yesterday
Fake NameFake Name
4471311
Technically, this is completely possible (though doing so also renders the database useless):
.+Will indeed detect any possible SQLi.
However, it will also detect any attempt to do normal queries(or any text at all), rendering the database completely useless.
You could equally say that turning the database off protects from SQLi. It's true, but it also renders the database useless for it's intended purpose.
Use prepared statements or parameterized queries. They exist to solve this issue.
answered yesterday
Fake NameFake Name
4471311
edited 10 hours ago
answered yesterday
Fake NameFake Name
4471311
answered yesterday
Fake NameFake Name
4471311
answered yesterday
Fake NameFake Name
4471311
4471311
9
Technically correct is the best kind of correct.. but not in this scenario :P
– Dan Pantry
yesterday
14
@DanPantry - Nothing in the question specified that it had to allow anything.
– Fake Name
yesterday
2
This should maybe have been a comment instead of an answer, but it has a good point within it. Instead of focusing on how to block all attacks, OP should focus on what legitimate strings need to be allowed.
– Nate Eldredge
yesterday
1
This answer could be improved by mentioning how even the "select" regexp will cause a lot of false matches, for any text containing the word 'select'.
– jpa
22 hours ago
1
@FakeName please see the question's edit history. False positives were originally not a concern but became a concern after much discussion in the comments.
– schroeder♦
22 hours ago
|
show 5 more comments
9
Technically correct is the best kind of correct.. but not in this scenario :P
– Dan Pantry
yesterday
14
@DanPantry - Nothing in the question specified that it had to allow anything.
– Fake Name
yesterday
2
This should maybe have been a comment instead of an answer, but it has a good point within it. Instead of focusing on how to block all attacks, OP should focus on what legitimate strings need to be allowed.
– Nate Eldredge
yesterday
1
This answer could be improved by mentioning how even the "select" regexp will cause a lot of false matches, for any text containing the word 'select'.
– jpa
22 hours ago
1
@FakeName please see the question's edit history. False positives were originally not a concern but became a concern after much discussion in the comments.
– schroeder♦
22 hours ago
9
9
Technically correct is the best kind of correct.. but not in this scenario :P
– Dan Pantry
yesterday
Technically correct is the best kind of correct.. but not in this scenario :P
– Dan Pantry
yesterday
14
14
@DanPantry - Nothing in the question specified that it had to allow anything.
– Fake Name
yesterday
@DanPantry - Nothing in the question specified that it had to allow anything.
– Fake Name
yesterday
2
2
This should maybe have been a comment instead of an answer, but it has a good point within it. Instead of focusing on how to block all attacks, OP should focus on what legitimate strings need to be allowed.
– Nate Eldredge
yesterday
This should maybe have been a comment instead of an answer, but it has a good point within it. Instead of focusing on how to block all attacks, OP should focus on what legitimate strings need to be allowed.
– Nate Eldredge
yesterday
1
1
This answer could be improved by mentioning how even the "select" regexp will cause a lot of false matches, for any text containing the word 'select'.
– jpa
22 hours ago
This answer could be improved by mentioning how even the "select" regexp will cause a lot of false matches, for any text containing the word 'select'.
– jpa
22 hours ago
1
1
@FakeName please see the question's edit history. False positives were originally not a concern but became a concern after much discussion in the comments.
– schroeder♦
22 hours ago
@FakeName please see the question's edit history. False positives were originally not a concern but became a concern after much discussion in the comments.
– schroeder♦
22 hours ago
|
show 5 more comments
No. First of all, there are several evil things you can do with SQL injections which don't require the use of the SELECT keyword, like the infamous universal password ' OR '1' = '1 or the common username Robert'); DROP TABLE Students;--. Also, "select" is a very common word in the English language which might appear in completely benign ways in all kinds of different contexts. So if you filter any input which matches /select/i you are going to get a ton of false positives (16 false positives and counting just on the website your are reading right now, for example).
If you want to sanitize inputs before sending data to your database, then PHP has a handy function for that purpose (these are those for mySQL, any other database APIs should provide a similar function tailored for that specific database syntax).
But when you are trying to protect yourself against SQL Injections by blocking certain inputs, then you are fighting the battle at the wrong frontline. It would be much smarter to defend yourself against SQL injections by stopping to create SQL statements by string concatenation. Common alternative ways to interact with databases in a way which makes SQL injections difficult to write unintentionally are:
- Use an ORM wrapper which writes SQL queries for you
- Use parameterized queries (also known as prepared statements)
- Use a programming language where SQL is part of the language syntax
- Use stored procedures
answered 19 hours ago
PhilippPhilipp
44.2k7112139
add a comment |
No. First of all, there are several evil things you can do with SQL injections which don't require the use of the SELECT keyword, like the infamous universal password ' OR '1' = '1 or the common username Robert'); DROP TABLE Students;--. Also, "select" is a very common word in the English language which might appear in completely benign ways in all kinds of different contexts. So if you filter any input which matches /select/i you are going to get a ton of false positives (16 false positives and counting just on the website your are reading right now, for example).
If you want to sanitize inputs before sending data to your database, then PHP has a handy function for that purpose (these are those for mySQL, any other database APIs should provide a similar function tailored for that specific database syntax).
But when you are trying to protect yourself against SQL Injections by blocking certain inputs, then you are fighting the battle at the wrong frontline. It would be much smarter to defend yourself against SQL injections by stopping to create SQL statements by string concatenation. Common alternative ways to interact with databases in a way which makes SQL injections difficult to write unintentionally are:
- Use an ORM wrapper which writes SQL queries for you
- Use parameterized queries (also known as prepared statements)
- Use a programming language where SQL is part of the language syntax
- Use stored procedures
answered 19 hours ago
PhilippPhilipp
44.2k7112139
add a comment |
No. First of all, there are several evil things you can do with SQL injections which don't require the use of the SELECT keyword, like the infamous universal password ' OR '1' = '1 or the common username Robert'); DROP TABLE Students;--. Also, "select" is a very common word in the English language which might appear in completely benign ways in all kinds of different contexts. So if you filter any input which matches /select/i you are going to get a ton of false positives (16 false positives and counting just on the website your are reading right now, for example).
If you want to sanitize inputs before sending data to your database, then PHP has a handy function for that purpose (these are those for mySQL, any other database APIs should provide a similar function tailored for that specific database syntax).
But when you are trying to protect yourself against SQL Injections by blocking certain inputs, then you are fighting the battle at the wrong frontline. It would be much smarter to defend yourself against SQL injections by stopping to create SQL statements by string concatenation. Common alternative ways to interact with databases in a way which makes SQL injections difficult to write unintentionally are:
- Use an ORM wrapper which writes SQL queries for you
- Use parameterized queries (also known as prepared statements)
- Use a programming language where SQL is part of the language syntax
- Use stored procedures
answered 19 hours ago
PhilippPhilipp
44.2k7112139
No. First of all, there are several evil things you can do with SQL injections which don't require the use of the SELECT keyword, like the infamous universal password ' OR '1' = '1 or the common username Robert'); DROP TABLE Students;--. Also, "select" is a very common word in the English language which might appear in completely benign ways in all kinds of different contexts. So if you filter any input which matches /select/i you are going to get a ton of false positives (16 false positives and counting just on the website your are reading right now, for example).
If you want to sanitize inputs before sending data to your database, then PHP has a handy function for that purpose (these are those for mySQL, any other database APIs should provide a similar function tailored for that specific database syntax).
But when you are trying to protect yourself against SQL Injections by blocking certain inputs, then you are fighting the battle at the wrong frontline. It would be much smarter to defend yourself against SQL injections by stopping to create SQL statements by string concatenation. Common alternative ways to interact with databases in a way which makes SQL injections difficult to write unintentionally are:
- Use an ORM wrapper which writes SQL queries for you
- Use parameterized queries (also known as prepared statements)
- Use a programming language where SQL is part of the language syntax
- Use stored procedures
answered 19 hours ago
PhilippPhilipp
44.2k7112139
edited 19 hours ago
answered 19 hours ago
PhilippPhilipp
44.2k7112139
answered 19 hours ago
PhilippPhilipp
44.2k7112139
answered 19 hours ago
PhilippPhilipp
44.2k7112139
44.2k7112139
add a comment |
add a comment |
No. A regexp implementation is typically a regular language (or an extension thereof that allows parsing of some non-regular grammars.)
SQL on the other hand, it is firmly a non-regular context free language. Ergo, it cannot be parsed by a regular-language regexp.
If you were to use a regexp extension that uses grouping, you might be able to parse valid SQL, but also invalid SQL or things that might look like SQL but aren't.
The best thing to be sure is to use a context-free grammar that expresses the SQL dialect you are looking for, if you really were keen to detect a SQL injection attack.
ps. My personal opinion is that one of the best ways to avoid or minimize sql injection attacks is to never invoke plain SQL from the application (relying instead on stored procedures, which themselves sanitize their arguments.)
A lot more elbow grease, and not necessarily 100% iron-clad injection-proof. But it does work very well. Caveat emptor obviously, for other developers might have different experiences with such an approach.
answered 22 hours ago
luis.espinalluis.espinal
1094
New contributor
luis.espinal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
SQL is a "non-regular context free language". That's going to need some explanation because that appears false on its face.
– schroeder♦
21 hours ago
Uh, no. For starters, SQL has been described multiple times in BNF, ergo, it is a context-free language. Here's an example: docs.oracle.com/cd/B28359_01/server.111/b28286/ap_syntx002.htm
– luis.espinal
21 hours ago
Additionally, SQL is neither a right regular grammar nor a left regular grammar. In fact, there's no regular grammar than can captureSELECT x from ywhere eitherxoryare SQL SELECT statements themselves.
– luis.espinal
21 hours ago
1
You appear to be jumping ahead in some concepts. How do we get to "context-free" from "can be described in BNF"? I think you are bringing in volumes of other concepts without explaining them (or assuming they are true). While I am not trying to assert something else to be true, it is not clear from your answer how your assertions are true. Can you connect some dots?
– schroeder♦
21 hours ago
3
Big difference between being right and being useful. This answer is not useful without the reader delving into several computer science concepts to begin to understand the point you are making. I'm asking you to edit the answer to connect some dots to make this answer more useful.
– schroeder♦
19 hours ago
|
show 5 more comments
No. A regexp implementation is typically a regular language (or an extension thereof that allows parsing of some non-regular grammars.)
SQL on the other hand, it is firmly a non-regular context free language. Ergo, it cannot be parsed by a regular-language regexp.
If you were to use a regexp extension that uses grouping, you might be able to parse valid SQL, but also invalid SQL or things that might look like SQL but aren't.
The best thing to be sure is to use a context-free grammar that expresses the SQL dialect you are looking for, if you really were keen to detect a SQL injection attack.
ps. My personal opinion is that one of the best ways to avoid or minimize sql injection attacks is to never invoke plain SQL from the application (relying instead on stored procedures, which themselves sanitize their arguments.)
A lot more elbow grease, and not necessarily 100% iron-clad injection-proof. But it does work very well. Caveat emptor obviously, for other developers might have different experiences with such an approach.
answered 22 hours ago
luis.espinalluis.espinal
1094
New contributor
luis.espinal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
SQL is a "non-regular context free language". That's going to need some explanation because that appears false on its face.
– schroeder♦
21 hours ago
Uh, no. For starters, SQL has been described multiple times in BNF, ergo, it is a context-free language. Here's an example: docs.oracle.com/cd/B28359_01/server.111/b28286/ap_syntx002.htm
– luis.espinal
21 hours ago
Additionally, SQL is neither a right regular grammar nor a left regular grammar. In fact, there's no regular grammar than can captureSELECT x from ywhere eitherxoryare SQL SELECT statements themselves.
– luis.espinal
21 hours ago
1
You appear to be jumping ahead in some concepts. How do we get to "context-free" from "can be described in BNF"? I think you are bringing in volumes of other concepts without explaining them (or assuming they are true). While I am not trying to assert something else to be true, it is not clear from your answer how your assertions are true. Can you connect some dots?
– schroeder♦
21 hours ago
3
Big difference between being right and being useful. This answer is not useful without the reader delving into several computer science concepts to begin to understand the point you are making. I'm asking you to edit the answer to connect some dots to make this answer more useful.
– schroeder♦
19 hours ago
|
show 5 more comments
No. A regexp implementation is typically a regular language (or an extension thereof that allows parsing of some non-regular grammars.)
SQL on the other hand, it is firmly a non-regular context free language. Ergo, it cannot be parsed by a regular-language regexp.
If you were to use a regexp extension that uses grouping, you might be able to parse valid SQL, but also invalid SQL or things that might look like SQL but aren't.
The best thing to be sure is to use a context-free grammar that expresses the SQL dialect you are looking for, if you really were keen to detect a SQL injection attack.
ps. My personal opinion is that one of the best ways to avoid or minimize sql injection attacks is to never invoke plain SQL from the application (relying instead on stored procedures, which themselves sanitize their arguments.)
A lot more elbow grease, and not necessarily 100% iron-clad injection-proof. But it does work very well. Caveat emptor obviously, for other developers might have different experiences with such an approach.
answered 22 hours ago
luis.espinalluis.espinal
1094
New contributor
luis.espinal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
No. A regexp implementation is typically a regular language (or an extension thereof that allows parsing of some non-regular grammars.)
SQL on the other hand, it is firmly a non-regular context free language. Ergo, it cannot be parsed by a regular-language regexp.
If you were to use a regexp extension that uses grouping, you might be able to parse valid SQL, but also invalid SQL or things that might look like SQL but aren't.
The best thing to be sure is to use a context-free grammar that expresses the SQL dialect you are looking for, if you really were keen to detect a SQL injection attack.
ps. My personal opinion is that one of the best ways to avoid or minimize sql injection attacks is to never invoke plain SQL from the application (relying instead on stored procedures, which themselves sanitize their arguments.)
A lot more elbow grease, and not necessarily 100% iron-clad injection-proof. But it does work very well. Caveat emptor obviously, for other developers might have different experiences with such an approach.
answered 22 hours ago
luis.espinalluis.espinal
1094
New contributor
luis.espinal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 22 hours ago
luis.espinalluis.espinal
1094
New contributor
luis.espinal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 22 hours ago
luis.espinalluis.espinal
1094
answered 22 hours ago
luis.espinalluis.espinal
1094
1094
New contributor
luis.espinal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
luis.espinal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
luis.espinal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
SQL is a "non-regular context free language". That's going to need some explanation because that appears false on its face.
– schroeder♦
21 hours ago
Uh, no. For starters, SQL has been described multiple times in BNF, ergo, it is a context-free language. Here's an example: docs.oracle.com/cd/B28359_01/server.111/b28286/ap_syntx002.htm
– luis.espinal
21 hours ago
Additionally, SQL is neither a right regular grammar nor a left regular grammar. In fact, there's no regular grammar than can captureSELECT x from ywhere eitherxoryare SQL SELECT statements themselves.
– luis.espinal
21 hours ago
1
You appear to be jumping ahead in some concepts. How do we get to "context-free" from "can be described in BNF"? I think you are bringing in volumes of other concepts without explaining them (or assuming they are true). While I am not trying to assert something else to be true, it is not clear from your answer how your assertions are true. Can you connect some dots?
– schroeder♦
21 hours ago
3
Big difference between being right and being useful. This answer is not useful without the reader delving into several computer science concepts to begin to understand the point you are making. I'm asking you to edit the answer to connect some dots to make this answer more useful.
– schroeder♦
19 hours ago
|
show 5 more comments
SQL is a "non-regular context free language". That's going to need some explanation because that appears false on its face.
– schroeder♦
21 hours ago
Uh, no. For starters, SQL has been described multiple times in BNF, ergo, it is a context-free language. Here's an example: docs.oracle.com/cd/B28359_01/server.111/b28286/ap_syntx002.htm
– luis.espinal
21 hours ago
Additionally, SQL is neither a right regular grammar nor a left regular grammar. In fact, there's no regular grammar than can captureSELECT x from ywhere eitherxoryare SQL SELECT statements themselves.
– luis.espinal
21 hours ago
1
You appear to be jumping ahead in some concepts. How do we get to "context-free" from "can be described in BNF"? I think you are bringing in volumes of other concepts without explaining them (or assuming they are true). While I am not trying to assert something else to be true, it is not clear from your answer how your assertions are true. Can you connect some dots?
– schroeder♦
21 hours ago
3
Big difference between being right and being useful. This answer is not useful without the reader delving into several computer science concepts to begin to understand the point you are making. I'm asking you to edit the answer to connect some dots to make this answer more useful.
– schroeder♦
19 hours ago
SQL is a "non-regular context free language". That's going to need some explanation because that appears false on its face.
– schroeder♦
21 hours ago
SQL is a "non-regular context free language". That's going to need some explanation because that appears false on its face.
– schroeder♦
21 hours ago
Uh, no. For starters, SQL has been described multiple times in BNF, ergo, it is a context-free language. Here's an example: docs.oracle.com/cd/B28359_01/server.111/b28286/ap_syntx002.htm
– luis.espinal
21 hours ago
Uh, no. For starters, SQL has been described multiple times in BNF, ergo, it is a context-free language. Here's an example: docs.oracle.com/cd/B28359_01/server.111/b28286/ap_syntx002.htm
– luis.espinal
21 hours ago
Additionally, SQL is neither a right regular grammar nor a left regular grammar. In fact, there's no regular grammar than can capture
SELECT x from y where either x or y are SQL SELECT statements themselves.– luis.espinal
21 hours ago
Additionally, SQL is neither a right regular grammar nor a left regular grammar. In fact, there's no regular grammar than can capture
SELECT x from y where either x or y are SQL SELECT statements themselves.– luis.espinal
21 hours ago
1
1
You appear to be jumping ahead in some concepts. How do we get to "context-free" from "can be described in BNF"? I think you are bringing in volumes of other concepts without explaining them (or assuming they are true). While I am not trying to assert something else to be true, it is not clear from your answer how your assertions are true. Can you connect some dots?
– schroeder♦
21 hours ago
You appear to be jumping ahead in some concepts. How do we get to "context-free" from "can be described in BNF"? I think you are bringing in volumes of other concepts without explaining them (or assuming they are true). While I am not trying to assert something else to be true, it is not clear from your answer how your assertions are true. Can you connect some dots?
– schroeder♦
21 hours ago
3
3
Big difference between being right and being useful. This answer is not useful without the reader delving into several computer science concepts to begin to understand the point you are making. I'm asking you to edit the answer to connect some dots to make this answer more useful.
– schroeder♦
19 hours ago
Big difference between being right and being useful. This answer is not useful without the reader delving into several computer science concepts to begin to understand the point you are making. I'm asking you to edit the answer to connect some dots to make this answer more useful.
– schroeder♦
19 hours ago
|
show 5 more comments
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f203843%2fis-it-possible-to-detect-100-of-sqli-with-a-simple-regex%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
4
@reed The problem is that StackExchange isn't an open forum for discussing ideas. It's a Q&A site with restrictions on the types of questions that can be asked, in order to promote content that is useful to both those asking the questions and future readers. Questions like this, where the goal (intended or otherwise) is to ruminate over ideas rather than get a single concrete answer, aren't considered to be on-topic here. Since any correct answer would need to start with "don't do this, use parameters instead" it doesn't seem like there's much value that can come of it.
– Polynomial
yesterday
5
I was sure there was a duplicate that I could point you towards, but I never found one. There should be one.
– schroeder♦
yesterday
13
@reed Imagine the frustration of your pour users being frustrated they can't submit a post/comment/biography/whatever saying "I recommend you select the best tool for the job." ;)
– marcelm
yesterday
6
If you're okay with some false positives, then this one will always catch all SQL injection:
.*– Duncan X Simpson
17 hours ago
4
You don't even need a regex, just
return true. Pretty high false-positive rate though.– Kevin
12 hours ago