Is it possible to detect 100% of SQLi with a simple regex?Getting a SQL injection past a given regexWhich...

Why didn't Lorentz conclude that no object can go faster than light?

Face Value of SOFR futures

What happens if you declare more than $10,000 at the US border?

What dissuades people from lying about where they live in order to reduce state income taxes?

Define function that behaves almost identically to Mathematica function

Which was the first story to feature space elevators?

Identical projects by students at two different colleges: still plagiarism?

Coworker is trying to get me to sign his petition to run for office. How to decline politely?

How can I differentiate duration vs starting time

Where can I educate myself on D&D universe lore, specifically on vampires and supernatural monsters?

put country dropdown in phtml file in magento2

How can changes in personality/values of a person who turned into a vampire be explained?

The Late Queen Gives in to Remorse - Reverse Hangman

Is layered encryption more secure than long passwords?

Is it ethical to apply for a job on someone's behalf?

Can a planet be tidally unlocked?

What caused Doctor Strange to repent of his selfishness and become Earth's protector?

How to encircle section of matrix in LaTeX?

Exploding Numbers

Why Third 'Reich'? Why is 'reich' not translated when 'third' is? What is the English synonym of reich?

Can I legally make a website about boycotting a certain company?

How do I write a maintainable, fast, compile-time bit-mask in C++?

How do I know my password or backup information is not being shared when creating a new wallet?

How to scroll to next div using Javascript?



Is it possible to detect 100% of SQLi with a simple regex?


Getting a SQL injection past a given regexWhich enterprise-class DBMS allow forbiddance of (No)SQL comments?Faster SQL injection preventionBeyond SQL injections and XSSDatabase table name prefixes and security by obscurityHow bad is allow edit a database field containing an sql from a form?Validate database column and table names to prevent SQLi?Is the hosting OS safe to sql injection hackers by hiding admin ID?SQLi with quote filter?Is single quote filtering nonsense?













13















I'm wondering if it is possible to detect 100% of the possible SQLi attacks using a simple regex.



In other words, using very simple PHP code as an example:



if (preg_match("/select/i", $input)) {
attack_log("Possible SELECT SQLi detected.")
}


The questions are:




  • Will that regex catch all possible SQLi attacks that use SELECT? If not, is it possible to change that regex so that it is going to detect all injections that rely on SELECT?

  • Is it possible to change that regex to so that it will catch all possible SQLi, so not only SELECT statements but also all the rest? I'm afraid that to achieve this I would need to add every possible SQL keyword to the regex, including "AND" and "OR".

  • Supposing it's not possible or feasible to detect all SQLi by trying to match all the possible SQL keywords, is there a limited subset of keywords that would allow me to detect the vast majority of possible attacks?










share|improve this question




















  • 4





    @reed The problem is that StackExchange isn't an open forum for discussing ideas. It's a Q&A site with restrictions on the types of questions that can be asked, in order to promote content that is useful to both those asking the questions and future readers. Questions like this, where the goal (intended or otherwise) is to ruminate over ideas rather than get a single concrete answer, aren't considered to be on-topic here. Since any correct answer would need to start with "don't do this, use parameters instead" it doesn't seem like there's much value that can come of it.

    – Polynomial
    yesterday








  • 5





    I was sure there was a duplicate that I could point you towards, but I never found one. There should be one.

    – schroeder
    yesterday






  • 13





    @reed Imagine the frustration of your pour users being frustrated they can't submit a post/comment/biography/whatever saying "I recommend you select the best tool for the job." ;)

    – marcelm
    yesterday






  • 6





    If you're okay with some false positives, then this one will always catch all SQL injection: .*

    – Duncan X Simpson
    17 hours ago






  • 4





    You don't even need a regex, just return true. Pretty high false-positive rate though.

    – Kevin
    12 hours ago
















13















I'm wondering if it is possible to detect 100% of the possible SQLi attacks using a simple regex.



In other words, using very simple PHP code as an example:



if (preg_match("/select/i", $input)) {
attack_log("Possible SELECT SQLi detected.")
}


The questions are:




  • Will that regex catch all possible SQLi attacks that use SELECT? If not, is it possible to change that regex so that it is going to detect all injections that rely on SELECT?

  • Is it possible to change that regex to so that it will catch all possible SQLi, so not only SELECT statements but also all the rest? I'm afraid that to achieve this I would need to add every possible SQL keyword to the regex, including "AND" and "OR".

  • Supposing it's not possible or feasible to detect all SQLi by trying to match all the possible SQL keywords, is there a limited subset of keywords that would allow me to detect the vast majority of possible attacks?










share|improve this question




















  • 4





    @reed The problem is that StackExchange isn't an open forum for discussing ideas. It's a Q&A site with restrictions on the types of questions that can be asked, in order to promote content that is useful to both those asking the questions and future readers. Questions like this, where the goal (intended or otherwise) is to ruminate over ideas rather than get a single concrete answer, aren't considered to be on-topic here. Since any correct answer would need to start with "don't do this, use parameters instead" it doesn't seem like there's much value that can come of it.

    – Polynomial
    yesterday








  • 5





    I was sure there was a duplicate that I could point you towards, but I never found one. There should be one.

    – schroeder
    yesterday






  • 13





    @reed Imagine the frustration of your pour users being frustrated they can't submit a post/comment/biography/whatever saying "I recommend you select the best tool for the job." ;)

    – marcelm
    yesterday






  • 6





    If you're okay with some false positives, then this one will always catch all SQL injection: .*

    – Duncan X Simpson
    17 hours ago






  • 4





    You don't even need a regex, just return true. Pretty high false-positive rate though.

    – Kevin
    12 hours ago














13












13








13


7






I'm wondering if it is possible to detect 100% of the possible SQLi attacks using a simple regex.



In other words, using very simple PHP code as an example:



if (preg_match("/select/i", $input)) {
attack_log("Possible SELECT SQLi detected.")
}


The questions are:




  • Will that regex catch all possible SQLi attacks that use SELECT? If not, is it possible to change that regex so that it is going to detect all injections that rely on SELECT?

  • Is it possible to change that regex to so that it will catch all possible SQLi, so not only SELECT statements but also all the rest? I'm afraid that to achieve this I would need to add every possible SQL keyword to the regex, including "AND" and "OR".

  • Supposing it's not possible or feasible to detect all SQLi by trying to match all the possible SQL keywords, is there a limited subset of keywords that would allow me to detect the vast majority of possible attacks?










share|improve this question
















I'm wondering if it is possible to detect 100% of the possible SQLi attacks using a simple regex.



In other words, using very simple PHP code as an example:



if (preg_match("/select/i", $input)) {
attack_log("Possible SELECT SQLi detected.")
}


The questions are:




  • Will that regex catch all possible SQLi attacks that use SELECT? If not, is it possible to change that regex so that it is going to detect all injections that rely on SELECT?

  • Is it possible to change that regex to so that it will catch all possible SQLi, so not only SELECT statements but also all the rest? I'm afraid that to achieve this I would need to add every possible SQL keyword to the regex, including "AND" and "OR".

  • Supposing it's not possible or feasible to detect all SQLi by trying to match all the possible SQL keywords, is there a limited subset of keywords that would allow me to detect the vast majority of possible attacks?







sql-injection ids detection regex






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited yesterday







reed

















asked yesterday









reedreed

2,7192724




2,7192724








  • 4





    @reed The problem is that StackExchange isn't an open forum for discussing ideas. It's a Q&A site with restrictions on the types of questions that can be asked, in order to promote content that is useful to both those asking the questions and future readers. Questions like this, where the goal (intended or otherwise) is to ruminate over ideas rather than get a single concrete answer, aren't considered to be on-topic here. Since any correct answer would need to start with "don't do this, use parameters instead" it doesn't seem like there's much value that can come of it.

    – Polynomial
    yesterday








  • 5





    I was sure there was a duplicate that I could point you towards, but I never found one. There should be one.

    – schroeder
    yesterday






  • 13





    @reed Imagine the frustration of your pour users being frustrated they can't submit a post/comment/biography/whatever saying "I recommend you select the best tool for the job." ;)

    – marcelm
    yesterday






  • 6





    If you're okay with some false positives, then this one will always catch all SQL injection: .*

    – Duncan X Simpson
    17 hours ago






  • 4





    You don't even need a regex, just return true. Pretty high false-positive rate though.

    – Kevin
    12 hours ago














  • 4





    @reed The problem is that StackExchange isn't an open forum for discussing ideas. It's a Q&A site with restrictions on the types of questions that can be asked, in order to promote content that is useful to both those asking the questions and future readers. Questions like this, where the goal (intended or otherwise) is to ruminate over ideas rather than get a single concrete answer, aren't considered to be on-topic here. Since any correct answer would need to start with "don't do this, use parameters instead" it doesn't seem like there's much value that can come of it.

    – Polynomial
    yesterday








  • 5





    I was sure there was a duplicate that I could point you towards, but I never found one. There should be one.

    – schroeder
    yesterday






  • 13





    @reed Imagine the frustration of your pour users being frustrated they can't submit a post/comment/biography/whatever saying "I recommend you select the best tool for the job." ;)

    – marcelm
    yesterday






  • 6





    If you're okay with some false positives, then this one will always catch all SQL injection: .*

    – Duncan X Simpson
    17 hours ago






  • 4





    You don't even need a regex, just return true. Pretty high false-positive rate though.

    – Kevin
    12 hours ago








4




4





@reed The problem is that StackExchange isn't an open forum for discussing ideas. It's a Q&A site with restrictions on the types of questions that can be asked, in order to promote content that is useful to both those asking the questions and future readers. Questions like this, where the goal (intended or otherwise) is to ruminate over ideas rather than get a single concrete answer, aren't considered to be on-topic here. Since any correct answer would need to start with "don't do this, use parameters instead" it doesn't seem like there's much value that can come of it.

– Polynomial
yesterday







@reed The problem is that StackExchange isn't an open forum for discussing ideas. It's a Q&A site with restrictions on the types of questions that can be asked, in order to promote content that is useful to both those asking the questions and future readers. Questions like this, where the goal (intended or otherwise) is to ruminate over ideas rather than get a single concrete answer, aren't considered to be on-topic here. Since any correct answer would need to start with "don't do this, use parameters instead" it doesn't seem like there's much value that can come of it.

– Polynomial
yesterday






5




5





I was sure there was a duplicate that I could point you towards, but I never found one. There should be one.

– schroeder
yesterday





I was sure there was a duplicate that I could point you towards, but I never found one. There should be one.

– schroeder
yesterday




13




13





@reed Imagine the frustration of your pour users being frustrated they can't submit a post/comment/biography/whatever saying "I recommend you select the best tool for the job." ;)

– marcelm
yesterday





@reed Imagine the frustration of your pour users being frustrated they can't submit a post/comment/biography/whatever saying "I recommend you select the best tool for the job." ;)

– marcelm
yesterday




6




6





If you're okay with some false positives, then this one will always catch all SQL injection: .*

– Duncan X Simpson
17 hours ago





If you're okay with some false positives, then this one will always catch all SQL injection: .*

– Duncan X Simpson
17 hours ago




4




4





You don't even need a regex, just return true. Pretty high false-positive rate though.

– Kevin
12 hours ago





You don't even need a regex, just return true. Pretty high false-positive rate though.

– Kevin
12 hours ago










5 Answers
5






active

oldest

votes


















87














Keyword filtering for SQLi is not a good technique. There are too many ways to bypass it.



Crazy things like sel/**/ect might work, for instance. Or playing games with substr(). And then there's EXEC('SEL' + 'ECT 1').



There are many guides on how to bypass common filtering techniques.



But then you might ask if there is a superset of things to filter for (like select and /**/ and substr and EXEC), but then the list gets very, very long, and you still might not get a comprehensive list.



The better approach is to understand the range of acceptable inputs and protect those or to make it ineffective to use SQLi through proper design.






share|improve this answer



















  • 1





    I guess this is exactly the kind of answer I needed, and that link is especially helpful to understand how complex all this can get. Thanks.

    – reed
    yesterday






  • 37





    Not to mention the false positive rate. The more things in your list, the more likely you'll match something in the query data - name, user name, email address, etc. Imagine if someone tried to register as bob@executiveselect.com or something along those lines.

    – alex.forencich
    yesterday






  • 9





    @alex.forencich And sometimes the set of valid data may overlap with the set of malicious inputs. xkcd.com/327

    – JAB
    yesterday








  • 3





    "proper design" It would greatly improve the answer to mention what that proper design is, the parameterized queries part in particular.

    – jpmc26
    yesterday






  • 4





    @Nelson All that of "published material" mostly boils down to, "Use parameterized queries for any value that can't be hard coded directly into the query text, especially user input." (Literally. The only thing beyond this is the question of what to do if you need to have some kind of dynamic value for an identifier, and that isn't necessary in the vast majority of cases.) No harm would come from including a brief summary of that nature. It's really not as big a topic as you seem to think.

    – jpmc26
    yesterday





















49














NO



Since every SQL injection is (by definition) valid SQL and since SQL is a context-free language (source), there is (again, by definition) no regex capable of matching an SQL injection, and trying to do so would probably give result similar to this.



As said by pretty much every comment, use the right tool for the job. In this case it's a prepared statement.






share|improve this answer





















  • 11





    To be pedantic, this means that a regex that matches only SQL injections (and all of them) is impossible, which is true but not of much value - if it were ever to exist, a solution that also matched invalid SQL would be okay, which reopens the question. This is of course only a theoretical nitpick, in practice regexes are not the right tool or approach for the job.

    – Giulio Muscarello
    yesterday






  • 2





    Another theoretical nitpick is that modern regexes are strictly more powerful than the original definition of "regular expression", due to lookarounds and backreferences and such. I wouldn't be surprised if more modern regexes are even Turing complete.

    – Pedro A
    yesterday






  • 9





    That is does not follow. Every string of 1s is a valid mathematical expression, and mathematical expressions are a context-free language, but that doesn't mean I can't write a regex to match strings of 1s.

    – immibis
    yesterday











  • Thats not correct, to detect SQLi you do not detect valid SQL syntax, you just need to detect quote busting constructs. (However it is still a very brittle approach)

    – eckes
    yesterday






  • 1





    @GiulioMuscarello /.*/ matches all valid SQL (and also some invalid SQL), but would presumably not be ok :)

    – mbrig
    13 hours ago



















24















Technically, this is completely possible (though doing so also renders the database useless):





  • .+ Will indeed detect any possible SQLi.


However, it will also detect any attempt to do normal queries(or any text at all), rendering the database completely useless.



You could equally say that turning the database off protects from SQLi. It's true, but it also renders the database useless for it's intended purpose.



Use prepared statements or parameterized queries. They exist to solve this issue.






share|improve this answer





















  • 9





    Technically correct is the best kind of correct.. but not in this scenario :P

    – Dan Pantry
    yesterday






  • 14





    @DanPantry - Nothing in the question specified that it had to allow anything.

    – Fake Name
    yesterday






  • 2





    This should maybe have been a comment instead of an answer, but it has a good point within it. Instead of focusing on how to block all attacks, OP should focus on what legitimate strings need to be allowed.

    – Nate Eldredge
    yesterday






  • 1





    This answer could be improved by mentioning how even the "select" regexp will cause a lot of false matches, for any text containing the word 'select'.

    – jpa
    22 hours ago






  • 1





    @FakeName please see the question's edit history. False positives were originally not a concern but became a concern after much discussion in the comments.

    – schroeder
    22 hours ago



















1














No. First of all, there are several evil things you can do with SQL injections which don't require the use of the SELECT keyword, like the infamous universal password ' OR '1' = '1 or the common username Robert'); DROP TABLE Students;--. Also, "select" is a very common word in the English language which might appear in completely benign ways in all kinds of different contexts. So if you filter any input which matches /select/i you are going to get a ton of false positives (16 false positives and counting just on the website your are reading right now, for example).



If you want to sanitize inputs before sending data to your database, then PHP has a handy function for that purpose (these are those for mySQL, any other database APIs should provide a similar function tailored for that specific database syntax).



But when you are trying to protect yourself against SQL Injections by blocking certain inputs, then you are fighting the battle at the wrong frontline. It would be much smarter to defend yourself against SQL injections by stopping to create SQL statements by string concatenation. Common alternative ways to interact with databases in a way which makes SQL injections difficult to write unintentionally are:




  • Use an ORM wrapper which writes SQL queries for you

  • Use parameterized queries (also known as prepared statements)

  • Use a programming language where SQL is part of the language syntax

  • Use stored procedures






share|improve this answer

































    -1














    No. A regexp implementation is typically a regular language (or an extension thereof that allows parsing of some non-regular grammars.)



    SQL on the other hand, it is firmly a non-regular context free language. Ergo, it cannot be parsed by a regular-language regexp.



    If you were to use a regexp extension that uses grouping, you might be able to parse valid SQL, but also invalid SQL or things that might look like SQL but aren't.



    The best thing to be sure is to use a context-free grammar that expresses the SQL dialect you are looking for, if you really were keen to detect a SQL injection attack.



    ps. My personal opinion is that one of the best ways to avoid or minimize sql injection attacks is to never invoke plain SQL from the application (relying instead on stored procedures, which themselves sanitize their arguments.)



    A lot more elbow grease, and not necessarily 100% iron-clad injection-proof. But it does work very well. Caveat emptor obviously, for other developers might have different experiences with such an approach.






    share|improve this answer








    New contributor




    luis.espinal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.





















    • SQL is a "non-regular context free language". That's going to need some explanation because that appears false on its face.

      – schroeder
      21 hours ago











    • Uh, no. For starters, SQL has been described multiple times in BNF, ergo, it is a context-free language. Here's an example: docs.oracle.com/cd/B28359_01/server.111/b28286/ap_syntx002.htm

      – luis.espinal
      21 hours ago











    • Additionally, SQL is neither a right regular grammar nor a left regular grammar. In fact, there's no regular grammar than can capture SELECT x from y where either x or y are SQL SELECT statements themselves.

      – luis.espinal
      21 hours ago






    • 1





      You appear to be jumping ahead in some concepts. How do we get to "context-free" from "can be described in BNF"? I think you are bringing in volumes of other concepts without explaining them (or assuming they are true). While I am not trying to assert something else to be true, it is not clear from your answer how your assertions are true. Can you connect some dots?

      – schroeder
      21 hours ago






    • 3





      Big difference between being right and being useful. This answer is not useful without the reader delving into several computer science concepts to begin to understand the point you are making. I'm asking you to edit the answer to connect some dots to make this answer more useful.

      – schroeder
      19 hours ago











    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "162"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f203843%2fis-it-possible-to-detect-100-of-sqli-with-a-simple-regex%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    5 Answers
    5






    active

    oldest

    votes








    5 Answers
    5






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    87














    Keyword filtering for SQLi is not a good technique. There are too many ways to bypass it.



    Crazy things like sel/**/ect might work, for instance. Or playing games with substr(). And then there's EXEC('SEL' + 'ECT 1').



    There are many guides on how to bypass common filtering techniques.



    But then you might ask if there is a superset of things to filter for (like select and /**/ and substr and EXEC), but then the list gets very, very long, and you still might not get a comprehensive list.



    The better approach is to understand the range of acceptable inputs and protect those or to make it ineffective to use SQLi through proper design.






    share|improve this answer



















    • 1





      I guess this is exactly the kind of answer I needed, and that link is especially helpful to understand how complex all this can get. Thanks.

      – reed
      yesterday






    • 37





      Not to mention the false positive rate. The more things in your list, the more likely you'll match something in the query data - name, user name, email address, etc. Imagine if someone tried to register as bob@executiveselect.com or something along those lines.

      – alex.forencich
      yesterday






    • 9





      @alex.forencich And sometimes the set of valid data may overlap with the set of malicious inputs. xkcd.com/327

      – JAB
      yesterday








    • 3





      "proper design" It would greatly improve the answer to mention what that proper design is, the parameterized queries part in particular.

      – jpmc26
      yesterday






    • 4





      @Nelson All that of "published material" mostly boils down to, "Use parameterized queries for any value that can't be hard coded directly into the query text, especially user input." (Literally. The only thing beyond this is the question of what to do if you need to have some kind of dynamic value for an identifier, and that isn't necessary in the vast majority of cases.) No harm would come from including a brief summary of that nature. It's really not as big a topic as you seem to think.

      – jpmc26
      yesterday


















    87














    Keyword filtering for SQLi is not a good technique. There are too many ways to bypass it.



    Crazy things like sel/**/ect might work, for instance. Or playing games with substr(). And then there's EXEC('SEL' + 'ECT 1').



    There are many guides on how to bypass common filtering techniques.



    But then you might ask if there is a superset of things to filter for (like select and /**/ and substr and EXEC), but then the list gets very, very long, and you still might not get a comprehensive list.



    The better approach is to understand the range of acceptable inputs and protect those or to make it ineffective to use SQLi through proper design.






    share|improve this answer



















    • 1





      I guess this is exactly the kind of answer I needed, and that link is especially helpful to understand how complex all this can get. Thanks.

      – reed
      yesterday






    • 37





      Not to mention the false positive rate. The more things in your list, the more likely you'll match something in the query data - name, user name, email address, etc. Imagine if someone tried to register as bob@executiveselect.com or something along those lines.

      – alex.forencich
      yesterday






    • 9





      @alex.forencich And sometimes the set of valid data may overlap with the set of malicious inputs. xkcd.com/327

      – JAB
      yesterday








    • 3





      "proper design" It would greatly improve the answer to mention what that proper design is, the parameterized queries part in particular.

      – jpmc26
      yesterday






    • 4





      @Nelson All that of "published material" mostly boils down to, "Use parameterized queries for any value that can't be hard coded directly into the query text, especially user input." (Literally. The only thing beyond this is the question of what to do if you need to have some kind of dynamic value for an identifier, and that isn't necessary in the vast majority of cases.) No harm would come from including a brief summary of that nature. It's really not as big a topic as you seem to think.

      – jpmc26
      yesterday
















    87












    87








    87







    Keyword filtering for SQLi is not a good technique. There are too many ways to bypass it.



    Crazy things like sel/**/ect might work, for instance. Or playing games with substr(). And then there's EXEC('SEL' + 'ECT 1').



    There are many guides on how to bypass common filtering techniques.



    But then you might ask if there is a superset of things to filter for (like select and /**/ and substr and EXEC), but then the list gets very, very long, and you still might not get a comprehensive list.



    The better approach is to understand the range of acceptable inputs and protect those or to make it ineffective to use SQLi through proper design.






    share|improve this answer













    Keyword filtering for SQLi is not a good technique. There are too many ways to bypass it.



    Crazy things like sel/**/ect might work, for instance. Or playing games with substr(). And then there's EXEC('SEL' + 'ECT 1').



    There are many guides on how to bypass common filtering techniques.



    But then you might ask if there is a superset of things to filter for (like select and /**/ and substr and EXEC), but then the list gets very, very long, and you still might not get a comprehensive list.



    The better approach is to understand the range of acceptable inputs and protect those or to make it ineffective to use SQLi through proper design.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered yesterday









    schroederschroeder

    76.3k29170206




    76.3k29170206








    • 1





      I guess this is exactly the kind of answer I needed, and that link is especially helpful to understand how complex all this can get. Thanks.

      – reed
      yesterday






    • 37





      Not to mention the false positive rate. The more things in your list, the more likely you'll match something in the query data - name, user name, email address, etc. Imagine if someone tried to register as bob@executiveselect.com or something along those lines.

      – alex.forencich
      yesterday






    • 9





      @alex.forencich And sometimes the set of valid data may overlap with the set of malicious inputs. xkcd.com/327

      – JAB
      yesterday








    • 3





      "proper design" It would greatly improve the answer to mention what that proper design is, the parameterized queries part in particular.

      – jpmc26
      yesterday






    • 4





      @Nelson All that of "published material" mostly boils down to, "Use parameterized queries for any value that can't be hard coded directly into the query text, especially user input." (Literally. The only thing beyond this is the question of what to do if you need to have some kind of dynamic value for an identifier, and that isn't necessary in the vast majority of cases.) No harm would come from including a brief summary of that nature. It's really not as big a topic as you seem to think.

      – jpmc26
      yesterday
















    • 1





      I guess this is exactly the kind of answer I needed, and that link is especially helpful to understand how complex all this can get. Thanks.

      – reed
      yesterday






    • 37





      Not to mention the false positive rate. The more things in your list, the more likely you'll match something in the query data - name, user name, email address, etc. Imagine if someone tried to register as bob@executiveselect.com or something along those lines.

      – alex.forencich
      yesterday






    • 9





      @alex.forencich And sometimes the set of valid data may overlap with the set of malicious inputs. xkcd.com/327

      – JAB
      yesterday








    • 3





      "proper design" It would greatly improve the answer to mention what that proper design is, the parameterized queries part in particular.

      – jpmc26
      yesterday






    • 4





      @Nelson All that of "published material" mostly boils down to, "Use parameterized queries for any value that can't be hard coded directly into the query text, especially user input." (Literally. The only thing beyond this is the question of what to do if you need to have some kind of dynamic value for an identifier, and that isn't necessary in the vast majority of cases.) No harm would come from including a brief summary of that nature. It's really not as big a topic as you seem to think.

      – jpmc26
      yesterday










    1




    1





    I guess this is exactly the kind of answer I needed, and that link is especially helpful to understand how complex all this can get. Thanks.

    – reed
    yesterday





    I guess this is exactly the kind of answer I needed, and that link is especially helpful to understand how complex all this can get. Thanks.

    – reed
    yesterday




    37




    37





    Not to mention the false positive rate. The more things in your list, the more likely you'll match something in the query data - name, user name, email address, etc. Imagine if someone tried to register as bob@executiveselect.com or something along those lines.

    – alex.forencich
    yesterday





    Not to mention the false positive rate. The more things in your list, the more likely you'll match something in the query data - name, user name, email address, etc. Imagine if someone tried to register as bob@executiveselect.com or something along those lines.

    – alex.forencich
    yesterday




    9




    9





    @alex.forencich And sometimes the set of valid data may overlap with the set of malicious inputs. xkcd.com/327

    – JAB
    yesterday







    @alex.forencich And sometimes the set of valid data may overlap with the set of malicious inputs. xkcd.com/327

    – JAB
    yesterday






    3




    3





    "proper design" It would greatly improve the answer to mention what that proper design is, the parameterized queries part in particular.

    – jpmc26
    yesterday





    "proper design" It would greatly improve the answer to mention what that proper design is, the parameterized queries part in particular.

    – jpmc26
    yesterday




    4




    4





    @Nelson All that of "published material" mostly boils down to, "Use parameterized queries for any value that can't be hard coded directly into the query text, especially user input." (Literally. The only thing beyond this is the question of what to do if you need to have some kind of dynamic value for an identifier, and that isn't necessary in the vast majority of cases.) No harm would come from including a brief summary of that nature. It's really not as big a topic as you seem to think.

    – jpmc26
    yesterday







    @Nelson All that of "published material" mostly boils down to, "Use parameterized queries for any value that can't be hard coded directly into the query text, especially user input." (Literally. The only thing beyond this is the question of what to do if you need to have some kind of dynamic value for an identifier, and that isn't necessary in the vast majority of cases.) No harm would come from including a brief summary of that nature. It's really not as big a topic as you seem to think.

    – jpmc26
    yesterday















    49














    NO



    Since every SQL injection is (by definition) valid SQL and since SQL is a context-free language (source), there is (again, by definition) no regex capable of matching an SQL injection, and trying to do so would probably give result similar to this.



    As said by pretty much every comment, use the right tool for the job. In this case it's a prepared statement.






    share|improve this answer





















    • 11





      To be pedantic, this means that a regex that matches only SQL injections (and all of them) is impossible, which is true but not of much value - if it were ever to exist, a solution that also matched invalid SQL would be okay, which reopens the question. This is of course only a theoretical nitpick, in practice regexes are not the right tool or approach for the job.

      – Giulio Muscarello
      yesterday






    • 2





      Another theoretical nitpick is that modern regexes are strictly more powerful than the original definition of "regular expression", due to lookarounds and backreferences and such. I wouldn't be surprised if more modern regexes are even Turing complete.

      – Pedro A
      yesterday






    • 9





      That is does not follow. Every string of 1s is a valid mathematical expression, and mathematical expressions are a context-free language, but that doesn't mean I can't write a regex to match strings of 1s.

      – immibis
      yesterday











    • Thats not correct, to detect SQLi you do not detect valid SQL syntax, you just need to detect quote busting constructs. (However it is still a very brittle approach)

      – eckes
      yesterday






    • 1





      @GiulioMuscarello /.*/ matches all valid SQL (and also some invalid SQL), but would presumably not be ok :)

      – mbrig
      13 hours ago
















    49














    NO



    Since every SQL injection is (by definition) valid SQL and since SQL is a context-free language (source), there is (again, by definition) no regex capable of matching an SQL injection, and trying to do so would probably give result similar to this.



    As said by pretty much every comment, use the right tool for the job. In this case it's a prepared statement.






    share|improve this answer





















    • 11





      To be pedantic, this means that a regex that matches only SQL injections (and all of them) is impossible, which is true but not of much value - if it were ever to exist, a solution that also matched invalid SQL would be okay, which reopens the question. This is of course only a theoretical nitpick, in practice regexes are not the right tool or approach for the job.

      – Giulio Muscarello
      yesterday






    • 2





      Another theoretical nitpick is that modern regexes are strictly more powerful than the original definition of "regular expression", due to lookarounds and backreferences and such. I wouldn't be surprised if more modern regexes are even Turing complete.

      – Pedro A
      yesterday






    • 9





      That is does not follow. Every string of 1s is a valid mathematical expression, and mathematical expressions are a context-free language, but that doesn't mean I can't write a regex to match strings of 1s.

      – immibis
      yesterday











    • Thats not correct, to detect SQLi you do not detect valid SQL syntax, you just need to detect quote busting constructs. (However it is still a very brittle approach)

      – eckes
      yesterday






    • 1





      @GiulioMuscarello /.*/ matches all valid SQL (and also some invalid SQL), but would presumably not be ok :)

      – mbrig
      13 hours ago














    49












    49








    49







    NO



    Since every SQL injection is (by definition) valid SQL and since SQL is a context-free language (source), there is (again, by definition) no regex capable of matching an SQL injection, and trying to do so would probably give result similar to this.



    As said by pretty much every comment, use the right tool for the job. In this case it's a prepared statement.






    share|improve this answer















    NO



    Since every SQL injection is (by definition) valid SQL and since SQL is a context-free language (source), there is (again, by definition) no regex capable of matching an SQL injection, and trying to do so would probably give result similar to this.



    As said by pretty much every comment, use the right tool for the job. In this case it's a prepared statement.







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited yesterday









    Joel Coehoorn

    1,3571912




    1,3571912










    answered yesterday









    SefaSefa

    1,108314




    1,108314








    • 11





      To be pedantic, this means that a regex that matches only SQL injections (and all of them) is impossible, which is true but not of much value - if it were ever to exist, a solution that also matched invalid SQL would be okay, which reopens the question. This is of course only a theoretical nitpick, in practice regexes are not the right tool or approach for the job.

      – Giulio Muscarello
      yesterday






    • 2





      Another theoretical nitpick is that modern regexes are strictly more powerful than the original definition of "regular expression", due to lookarounds and backreferences and such. I wouldn't be surprised if more modern regexes are even Turing complete.

      – Pedro A
      yesterday






    • 9





      That is does not follow. Every string of 1s is a valid mathematical expression, and mathematical expressions are a context-free language, but that doesn't mean I can't write a regex to match strings of 1s.

      – immibis
      yesterday











    • Thats not correct, to detect SQLi you do not detect valid SQL syntax, you just need to detect quote busting constructs. (However it is still a very brittle approach)

      – eckes
      yesterday






    • 1





      @GiulioMuscarello /.*/ matches all valid SQL (and also some invalid SQL), but would presumably not be ok :)

      – mbrig
      13 hours ago














    • 11





      To be pedantic, this means that a regex that matches only SQL injections (and all of them) is impossible, which is true but not of much value - if it were ever to exist, a solution that also matched invalid SQL would be okay, which reopens the question. This is of course only a theoretical nitpick, in practice regexes are not the right tool or approach for the job.

      – Giulio Muscarello
      yesterday






    • 2





      Another theoretical nitpick is that modern regexes are strictly more powerful than the original definition of "regular expression", due to lookarounds and backreferences and such. I wouldn't be surprised if more modern regexes are even Turing complete.

      – Pedro A
      yesterday






    • 9





      That is does not follow. Every string of 1s is a valid mathematical expression, and mathematical expressions are a context-free language, but that doesn't mean I can't write a regex to match strings of 1s.

      – immibis
      yesterday











    • Thats not correct, to detect SQLi you do not detect valid SQL syntax, you just need to detect quote busting constructs. (However it is still a very brittle approach)

      – eckes
      yesterday






    • 1





      @GiulioMuscarello /.*/ matches all valid SQL (and also some invalid SQL), but would presumably not be ok :)

      – mbrig
      13 hours ago








    11




    11





    To be pedantic, this means that a regex that matches only SQL injections (and all of them) is impossible, which is true but not of much value - if it were ever to exist, a solution that also matched invalid SQL would be okay, which reopens the question. This is of course only a theoretical nitpick, in practice regexes are not the right tool or approach for the job.

    – Giulio Muscarello
    yesterday





    To be pedantic, this means that a regex that matches only SQL injections (and all of them) is impossible, which is true but not of much value - if it were ever to exist, a solution that also matched invalid SQL would be okay, which reopens the question. This is of course only a theoretical nitpick, in practice regexes are not the right tool or approach for the job.

    – Giulio Muscarello
    yesterday




    2




    2





    Another theoretical nitpick is that modern regexes are strictly more powerful than the original definition of "regular expression", due to lookarounds and backreferences and such. I wouldn't be surprised if more modern regexes are even Turing complete.

    – Pedro A
    yesterday





    Another theoretical nitpick is that modern regexes are strictly more powerful than the original definition of "regular expression", due to lookarounds and backreferences and such. I wouldn't be surprised if more modern regexes are even Turing complete.

    – Pedro A
    yesterday




    9




    9





    That is does not follow. Every string of 1s is a valid mathematical expression, and mathematical expressions are a context-free language, but that doesn't mean I can't write a regex to match strings of 1s.

    – immibis
    yesterday





    That is does not follow. Every string of 1s is a valid mathematical expression, and mathematical expressions are a context-free language, but that doesn't mean I can't write a regex to match strings of 1s.

    – immibis
    yesterday













    Thats not correct, to detect SQLi you do not detect valid SQL syntax, you just need to detect quote busting constructs. (However it is still a very brittle approach)

    – eckes
    yesterday





    Thats not correct, to detect SQLi you do not detect valid SQL syntax, you just need to detect quote busting constructs. (However it is still a very brittle approach)

    – eckes
    yesterday




    1




    1





    @GiulioMuscarello /.*/ matches all valid SQL (and also some invalid SQL), but would presumably not be ok :)

    – mbrig
    13 hours ago





    @GiulioMuscarello /.*/ matches all valid SQL (and also some invalid SQL), but would presumably not be ok :)

    – mbrig
    13 hours ago











    24















    Technically, this is completely possible (though doing so also renders the database useless):





    • .+ Will indeed detect any possible SQLi.


    However, it will also detect any attempt to do normal queries(or any text at all), rendering the database completely useless.



    You could equally say that turning the database off protects from SQLi. It's true, but it also renders the database useless for it's intended purpose.



    Use prepared statements or parameterized queries. They exist to solve this issue.






    share|improve this answer





















    • 9





      Technically correct is the best kind of correct.. but not in this scenario :P

      – Dan Pantry
      yesterday






    • 14





      @DanPantry - Nothing in the question specified that it had to allow anything.

      – Fake Name
      yesterday






    • 2





      This should maybe have been a comment instead of an answer, but it has a good point within it. Instead of focusing on how to block all attacks, OP should focus on what legitimate strings need to be allowed.

      – Nate Eldredge
      yesterday






    • 1





      This answer could be improved by mentioning how even the "select" regexp will cause a lot of false matches, for any text containing the word 'select'.

      – jpa
      22 hours ago






    • 1





      @FakeName please see the question's edit history. False positives were originally not a concern but became a concern after much discussion in the comments.

      – schroeder
      22 hours ago
















    24















    Technically, this is completely possible (though doing so also renders the database useless):





    • .+ Will indeed detect any possible SQLi.


    However, it will also detect any attempt to do normal queries(or any text at all), rendering the database completely useless.



    You could equally say that turning the database off protects from SQLi. It's true, but it also renders the database useless for it's intended purpose.



    Use prepared statements or parameterized queries. They exist to solve this issue.






    share|improve this answer





















    • 9





      Technically correct is the best kind of correct.. but not in this scenario :P

      – Dan Pantry
      yesterday






    • 14





      @DanPantry - Nothing in the question specified that it had to allow anything.

      – Fake Name
      yesterday






    • 2





      This should maybe have been a comment instead of an answer, but it has a good point within it. Instead of focusing on how to block all attacks, OP should focus on what legitimate strings need to be allowed.

      – Nate Eldredge
      yesterday






    • 1





      This answer could be improved by mentioning how even the "select" regexp will cause a lot of false matches, for any text containing the word 'select'.

      – jpa
      22 hours ago






    • 1





      @FakeName please see the question's edit history. False positives were originally not a concern but became a concern after much discussion in the comments.

      – schroeder
      22 hours ago














    24












    24








    24








    Technically, this is completely possible (though doing so also renders the database useless):





    • .+ Will indeed detect any possible SQLi.


    However, it will also detect any attempt to do normal queries(or any text at all), rendering the database completely useless.



    You could equally say that turning the database off protects from SQLi. It's true, but it also renders the database useless for it's intended purpose.



    Use prepared statements or parameterized queries. They exist to solve this issue.






    share|improve this answer
















    Technically, this is completely possible (though doing so also renders the database useless):





    • .+ Will indeed detect any possible SQLi.


    However, it will also detect any attempt to do normal queries(or any text at all), rendering the database completely useless.



    You could equally say that turning the database off protects from SQLi. It's true, but it also renders the database useless for it's intended purpose.



    Use prepared statements or parameterized queries. They exist to solve this issue.







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited 10 hours ago

























    answered yesterday









    Fake NameFake Name

    4471311




    4471311








    • 9





      Technically correct is the best kind of correct.. but not in this scenario :P

      – Dan Pantry
      yesterday






    • 14





      @DanPantry - Nothing in the question specified that it had to allow anything.

      – Fake Name
      yesterday






    • 2





      This should maybe have been a comment instead of an answer, but it has a good point within it. Instead of focusing on how to block all attacks, OP should focus on what legitimate strings need to be allowed.

      – Nate Eldredge
      yesterday






    • 1





      This answer could be improved by mentioning how even the "select" regexp will cause a lot of false matches, for any text containing the word 'select'.

      – jpa
      22 hours ago






    • 1





      @FakeName please see the question's edit history. False positives were originally not a concern but became a concern after much discussion in the comments.

      – schroeder
      22 hours ago














    • 9





      Technically correct is the best kind of correct.. but not in this scenario :P

      – Dan Pantry
      yesterday






    • 14





      @DanPantry - Nothing in the question specified that it had to allow anything.

      – Fake Name
      yesterday






    • 2





      This should maybe have been a comment instead of an answer, but it has a good point within it. Instead of focusing on how to block all attacks, OP should focus on what legitimate strings need to be allowed.

      – Nate Eldredge
      yesterday






    • 1





      This answer could be improved by mentioning how even the "select" regexp will cause a lot of false matches, for any text containing the word 'select'.

      – jpa
      22 hours ago






    • 1





      @FakeName please see the question's edit history. False positives were originally not a concern but became a concern after much discussion in the comments.

      – schroeder
      22 hours ago








    9




    9





    Technically correct is the best kind of correct.. but not in this scenario :P

    – Dan Pantry
    yesterday





    Technically correct is the best kind of correct.. but not in this scenario :P

    – Dan Pantry
    yesterday




    14




    14





    @DanPantry - Nothing in the question specified that it had to allow anything.

    – Fake Name
    yesterday





    @DanPantry - Nothing in the question specified that it had to allow anything.

    – Fake Name
    yesterday




    2




    2





    This should maybe have been a comment instead of an answer, but it has a good point within it. Instead of focusing on how to block all attacks, OP should focus on what legitimate strings need to be allowed.

    – Nate Eldredge
    yesterday





    This should maybe have been a comment instead of an answer, but it has a good point within it. Instead of focusing on how to block all attacks, OP should focus on what legitimate strings need to be allowed.

    – Nate Eldredge
    yesterday




    1




    1





    This answer could be improved by mentioning how even the "select" regexp will cause a lot of false matches, for any text containing the word 'select'.

    – jpa
    22 hours ago





    This answer could be improved by mentioning how even the "select" regexp will cause a lot of false matches, for any text containing the word 'select'.

    – jpa
    22 hours ago




    1




    1





    @FakeName please see the question's edit history. False positives were originally not a concern but became a concern after much discussion in the comments.

    – schroeder
    22 hours ago





    @FakeName please see the question's edit history. False positives were originally not a concern but became a concern after much discussion in the comments.

    – schroeder
    22 hours ago











    1














    No. First of all, there are several evil things you can do with SQL injections which don't require the use of the SELECT keyword, like the infamous universal password ' OR '1' = '1 or the common username Robert'); DROP TABLE Students;--. Also, "select" is a very common word in the English language which might appear in completely benign ways in all kinds of different contexts. So if you filter any input which matches /select/i you are going to get a ton of false positives (16 false positives and counting just on the website your are reading right now, for example).



    If you want to sanitize inputs before sending data to your database, then PHP has a handy function for that purpose (these are those for mySQL, any other database APIs should provide a similar function tailored for that specific database syntax).



    But when you are trying to protect yourself against SQL Injections by blocking certain inputs, then you are fighting the battle at the wrong frontline. It would be much smarter to defend yourself against SQL injections by stopping to create SQL statements by string concatenation. Common alternative ways to interact with databases in a way which makes SQL injections difficult to write unintentionally are:




    • Use an ORM wrapper which writes SQL queries for you

    • Use parameterized queries (also known as prepared statements)

    • Use a programming language where SQL is part of the language syntax

    • Use stored procedures






    share|improve this answer






























      1














      No. First of all, there are several evil things you can do with SQL injections which don't require the use of the SELECT keyword, like the infamous universal password ' OR '1' = '1 or the common username Robert'); DROP TABLE Students;--. Also, "select" is a very common word in the English language which might appear in completely benign ways in all kinds of different contexts. So if you filter any input which matches /select/i you are going to get a ton of false positives (16 false positives and counting just on the website your are reading right now, for example).



      If you want to sanitize inputs before sending data to your database, then PHP has a handy function for that purpose (these are those for mySQL, any other database APIs should provide a similar function tailored for that specific database syntax).



      But when you are trying to protect yourself against SQL Injections by blocking certain inputs, then you are fighting the battle at the wrong frontline. It would be much smarter to defend yourself against SQL injections by stopping to create SQL statements by string concatenation. Common alternative ways to interact with databases in a way which makes SQL injections difficult to write unintentionally are:




      • Use an ORM wrapper which writes SQL queries for you

      • Use parameterized queries (also known as prepared statements)

      • Use a programming language where SQL is part of the language syntax

      • Use stored procedures






      share|improve this answer




























        1












        1








        1







        No. First of all, there are several evil things you can do with SQL injections which don't require the use of the SELECT keyword, like the infamous universal password ' OR '1' = '1 or the common username Robert'); DROP TABLE Students;--. Also, "select" is a very common word in the English language which might appear in completely benign ways in all kinds of different contexts. So if you filter any input which matches /select/i you are going to get a ton of false positives (16 false positives and counting just on the website your are reading right now, for example).



        If you want to sanitize inputs before sending data to your database, then PHP has a handy function for that purpose (these are those for mySQL, any other database APIs should provide a similar function tailored for that specific database syntax).



        But when you are trying to protect yourself against SQL Injections by blocking certain inputs, then you are fighting the battle at the wrong frontline. It would be much smarter to defend yourself against SQL injections by stopping to create SQL statements by string concatenation. Common alternative ways to interact with databases in a way which makes SQL injections difficult to write unintentionally are:




        • Use an ORM wrapper which writes SQL queries for you

        • Use parameterized queries (also known as prepared statements)

        • Use a programming language where SQL is part of the language syntax

        • Use stored procedures






        share|improve this answer















        No. First of all, there are several evil things you can do with SQL injections which don't require the use of the SELECT keyword, like the infamous universal password ' OR '1' = '1 or the common username Robert'); DROP TABLE Students;--. Also, "select" is a very common word in the English language which might appear in completely benign ways in all kinds of different contexts. So if you filter any input which matches /select/i you are going to get a ton of false positives (16 false positives and counting just on the website your are reading right now, for example).



        If you want to sanitize inputs before sending data to your database, then PHP has a handy function for that purpose (these are those for mySQL, any other database APIs should provide a similar function tailored for that specific database syntax).



        But when you are trying to protect yourself against SQL Injections by blocking certain inputs, then you are fighting the battle at the wrong frontline. It would be much smarter to defend yourself against SQL injections by stopping to create SQL statements by string concatenation. Common alternative ways to interact with databases in a way which makes SQL injections difficult to write unintentionally are:




        • Use an ORM wrapper which writes SQL queries for you

        • Use parameterized queries (also known as prepared statements)

        • Use a programming language where SQL is part of the language syntax

        • Use stored procedures







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited 19 hours ago

























        answered 19 hours ago









        PhilippPhilipp

        44.2k7112139




        44.2k7112139























            -1














            No. A regexp implementation is typically a regular language (or an extension thereof that allows parsing of some non-regular grammars.)



            SQL on the other hand, it is firmly a non-regular context free language. Ergo, it cannot be parsed by a regular-language regexp.



            If you were to use a regexp extension that uses grouping, you might be able to parse valid SQL, but also invalid SQL or things that might look like SQL but aren't.



            The best thing to be sure is to use a context-free grammar that expresses the SQL dialect you are looking for, if you really were keen to detect a SQL injection attack.



            ps. My personal opinion is that one of the best ways to avoid or minimize sql injection attacks is to never invoke plain SQL from the application (relying instead on stored procedures, which themselves sanitize their arguments.)



            A lot more elbow grease, and not necessarily 100% iron-clad injection-proof. But it does work very well. Caveat emptor obviously, for other developers might have different experiences with such an approach.






            share|improve this answer








            New contributor




            luis.espinal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.





















            • SQL is a "non-regular context free language". That's going to need some explanation because that appears false on its face.

              – schroeder
              21 hours ago











            • Uh, no. For starters, SQL has been described multiple times in BNF, ergo, it is a context-free language. Here's an example: docs.oracle.com/cd/B28359_01/server.111/b28286/ap_syntx002.htm

              – luis.espinal
              21 hours ago











            • Additionally, SQL is neither a right regular grammar nor a left regular grammar. In fact, there's no regular grammar than can capture SELECT x from y where either x or y are SQL SELECT statements themselves.

              – luis.espinal
              21 hours ago






            • 1





              You appear to be jumping ahead in some concepts. How do we get to "context-free" from "can be described in BNF"? I think you are bringing in volumes of other concepts without explaining them (or assuming they are true). While I am not trying to assert something else to be true, it is not clear from your answer how your assertions are true. Can you connect some dots?

              – schroeder
              21 hours ago






            • 3





              Big difference between being right and being useful. This answer is not useful without the reader delving into several computer science concepts to begin to understand the point you are making. I'm asking you to edit the answer to connect some dots to make this answer more useful.

              – schroeder
              19 hours ago
















            -1














            No. A regexp implementation is typically a regular language (or an extension thereof that allows parsing of some non-regular grammars.)



            SQL on the other hand, it is firmly a non-regular context free language. Ergo, it cannot be parsed by a regular-language regexp.



            If you were to use a regexp extension that uses grouping, you might be able to parse valid SQL, but also invalid SQL or things that might look like SQL but aren't.



            The best thing to be sure is to use a context-free grammar that expresses the SQL dialect you are looking for, if you really were keen to detect a SQL injection attack.



            ps. My personal opinion is that one of the best ways to avoid or minimize sql injection attacks is to never invoke plain SQL from the application (relying instead on stored procedures, which themselves sanitize their arguments.)



            A lot more elbow grease, and not necessarily 100% iron-clad injection-proof. But it does work very well. Caveat emptor obviously, for other developers might have different experiences with such an approach.






            share|improve this answer








            New contributor




            luis.espinal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.





















            • SQL is a "non-regular context free language". That's going to need some explanation because that appears false on its face.

              – schroeder
              21 hours ago











            • Uh, no. For starters, SQL has been described multiple times in BNF, ergo, it is a context-free language. Here's an example: docs.oracle.com/cd/B28359_01/server.111/b28286/ap_syntx002.htm

              – luis.espinal
              21 hours ago











            • Additionally, SQL is neither a right regular grammar nor a left regular grammar. In fact, there's no regular grammar than can capture SELECT x from y where either x or y are SQL SELECT statements themselves.

              – luis.espinal
              21 hours ago






            • 1





              You appear to be jumping ahead in some concepts. How do we get to "context-free" from "can be described in BNF"? I think you are bringing in volumes of other concepts without explaining them (or assuming they are true). While I am not trying to assert something else to be true, it is not clear from your answer how your assertions are true. Can you connect some dots?

              – schroeder
              21 hours ago






            • 3





              Big difference between being right and being useful. This answer is not useful without the reader delving into several computer science concepts to begin to understand the point you are making. I'm asking you to edit the answer to connect some dots to make this answer more useful.

              – schroeder
              19 hours ago














            -1












            -1








            -1







            No. A regexp implementation is typically a regular language (or an extension thereof that allows parsing of some non-regular grammars.)



            SQL on the other hand, it is firmly a non-regular context free language. Ergo, it cannot be parsed by a regular-language regexp.



            If you were to use a regexp extension that uses grouping, you might be able to parse valid SQL, but also invalid SQL or things that might look like SQL but aren't.



            The best thing to be sure is to use a context-free grammar that expresses the SQL dialect you are looking for, if you really were keen to detect a SQL injection attack.



            ps. My personal opinion is that one of the best ways to avoid or minimize sql injection attacks is to never invoke plain SQL from the application (relying instead on stored procedures, which themselves sanitize their arguments.)



            A lot more elbow grease, and not necessarily 100% iron-clad injection-proof. But it does work very well. Caveat emptor obviously, for other developers might have different experiences with such an approach.






            share|improve this answer








            New contributor




            luis.espinal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.










            No. A regexp implementation is typically a regular language (or an extension thereof that allows parsing of some non-regular grammars.)



            SQL on the other hand, it is firmly a non-regular context free language. Ergo, it cannot be parsed by a regular-language regexp.



            If you were to use a regexp extension that uses grouping, you might be able to parse valid SQL, but also invalid SQL or things that might look like SQL but aren't.



            The best thing to be sure is to use a context-free grammar that expresses the SQL dialect you are looking for, if you really were keen to detect a SQL injection attack.



            ps. My personal opinion is that one of the best ways to avoid or minimize sql injection attacks is to never invoke plain SQL from the application (relying instead on stored procedures, which themselves sanitize their arguments.)



            A lot more elbow grease, and not necessarily 100% iron-clad injection-proof. But it does work very well. Caveat emptor obviously, for other developers might have different experiences with such an approach.







            share|improve this answer








            New contributor




            luis.espinal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.









            share|improve this answer



            share|improve this answer






            New contributor




            luis.espinal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.









            answered 22 hours ago









            luis.espinalluis.espinal

            1094




            1094




            New contributor




            luis.espinal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.





            New contributor





            luis.espinal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.






            luis.espinal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.













            • SQL is a "non-regular context free language". That's going to need some explanation because that appears false on its face.

              – schroeder
              21 hours ago











            • Uh, no. For starters, SQL has been described multiple times in BNF, ergo, it is a context-free language. Here's an example: docs.oracle.com/cd/B28359_01/server.111/b28286/ap_syntx002.htm

              – luis.espinal
              21 hours ago











            • Additionally, SQL is neither a right regular grammar nor a left regular grammar. In fact, there's no regular grammar than can capture SELECT x from y where either x or y are SQL SELECT statements themselves.

              – luis.espinal
              21 hours ago






            • 1





              You appear to be jumping ahead in some concepts. How do we get to "context-free" from "can be described in BNF"? I think you are bringing in volumes of other concepts without explaining them (or assuming they are true). While I am not trying to assert something else to be true, it is not clear from your answer how your assertions are true. Can you connect some dots?

              – schroeder
              21 hours ago






            • 3





              Big difference between being right and being useful. This answer is not useful without the reader delving into several computer science concepts to begin to understand the point you are making. I'm asking you to edit the answer to connect some dots to make this answer more useful.

              – schroeder
              19 hours ago



















            • SQL is a "non-regular context free language". That's going to need some explanation because that appears false on its face.

              – schroeder
              21 hours ago











            • Uh, no. For starters, SQL has been described multiple times in BNF, ergo, it is a context-free language. Here's an example: docs.oracle.com/cd/B28359_01/server.111/b28286/ap_syntx002.htm

              – luis.espinal
              21 hours ago











            • Additionally, SQL is neither a right regular grammar nor a left regular grammar. In fact, there's no regular grammar than can capture SELECT x from y where either x or y are SQL SELECT statements themselves.

              – luis.espinal
              21 hours ago






            • 1





              You appear to be jumping ahead in some concepts. How do we get to "context-free" from "can be described in BNF"? I think you are bringing in volumes of other concepts without explaining them (or assuming they are true). While I am not trying to assert something else to be true, it is not clear from your answer how your assertions are true. Can you connect some dots?

              – schroeder
              21 hours ago






            • 3





              Big difference between being right and being useful. This answer is not useful without the reader delving into several computer science concepts to begin to understand the point you are making. I'm asking you to edit the answer to connect some dots to make this answer more useful.

              – schroeder
              19 hours ago

















            SQL is a "non-regular context free language". That's going to need some explanation because that appears false on its face.

            – schroeder
            21 hours ago





            SQL is a "non-regular context free language". That's going to need some explanation because that appears false on its face.

            – schroeder
            21 hours ago













            Uh, no. For starters, SQL has been described multiple times in BNF, ergo, it is a context-free language. Here's an example: docs.oracle.com/cd/B28359_01/server.111/b28286/ap_syntx002.htm

            – luis.espinal
            21 hours ago





            Uh, no. For starters, SQL has been described multiple times in BNF, ergo, it is a context-free language. Here's an example: docs.oracle.com/cd/B28359_01/server.111/b28286/ap_syntx002.htm

            – luis.espinal
            21 hours ago













            Additionally, SQL is neither a right regular grammar nor a left regular grammar. In fact, there's no regular grammar than can capture SELECT x from y where either x or y are SQL SELECT statements themselves.

            – luis.espinal
            21 hours ago





            Additionally, SQL is neither a right regular grammar nor a left regular grammar. In fact, there's no regular grammar than can capture SELECT x from y where either x or y are SQL SELECT statements themselves.

            – luis.espinal
            21 hours ago




            1




            1





            You appear to be jumping ahead in some concepts. How do we get to "context-free" from "can be described in BNF"? I think you are bringing in volumes of other concepts without explaining them (or assuming they are true). While I am not trying to assert something else to be true, it is not clear from your answer how your assertions are true. Can you connect some dots?

            – schroeder
            21 hours ago





            You appear to be jumping ahead in some concepts. How do we get to "context-free" from "can be described in BNF"? I think you are bringing in volumes of other concepts without explaining them (or assuming they are true). While I am not trying to assert something else to be true, it is not clear from your answer how your assertions are true. Can you connect some dots?

            – schroeder
            21 hours ago




            3




            3





            Big difference between being right and being useful. This answer is not useful without the reader delving into several computer science concepts to begin to understand the point you are making. I'm asking you to edit the answer to connect some dots to make this answer more useful.

            – schroeder
            19 hours ago





            Big difference between being right and being useful. This answer is not useful without the reader delving into several computer science concepts to begin to understand the point you are making. I'm asking you to edit the answer to connect some dots to make this answer more useful.

            – schroeder
            19 hours ago


















            draft saved

            draft discarded




















































            Thanks for contributing an answer to Information Security Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f203843%2fis-it-possible-to-detect-100-of-sqli-with-a-simple-regex%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Щит и меч (фильм) Содержание Названия серий | Сюжет |...

            Венесуэла на летних Олимпийских играх 2000 Содержание Состав...

            Meter-Bus Содержание Параметры шины | Стандартизация |...