tags:

views:

266

answers:

6

used to check user input like username not a login account.

+6  A: 

Not sure why you'd want to find a regular expression that should prevent SQL injection when you can in fact use a function designed specifically to prevent SQL injection, namely mysql_real_escape_string().

Now you might want to limit characters (type and/or number) in your usernames but that's an entirely separate issue. Or at least it should be.

cletus
Better to use prepared statements than to use the escape function, but certainly better to use the escape function than your regexp. :)
Heath Hunnicutt
+3  A: 

No. To prevent SQL injection don't use strings to build your query. Use parameters.

Mark Byers
+2  A: 

Read up on prepared statements. That's one of the best way to avoid SQL-injection. It's supported in mysqli for PHP and in ADO.NET.

jishi
+2  A: 

To prevent SQL injection, you should use parameters rather than putting user input directly into the SQL. Alternatively, you can use some object-relational mapper which also does this internally.

That way, you do not need to care about "evil" characters in user input. (Of course, doing additional validation of user input won't hurt.)

Heinzi
+5  A: 

No, your regexp wouldn't help with SQL injection much at all, I am sorry. Let's look at some SQL injection:

First, suppose you create your SQL commands as strings, such as the following:
snprintf( sqlcommand, dimensionof(sqlcommand), "INSERT INTO users (username, password) VALUES ('%s', '%s')", username, password );

The concern with SQL injection is that the user can create an input value (username or password in this case) which causes the generated SQL command to do something other than intended. For example, if the username were "aardvark','f');DROP/**/TABLE/**/users;--", then the SQL statement generated would become:

INSERT INTO users (username, password) VALUES ('aardvark','f');DROP/**/TABLE/**/users;--', 'password_value')

So, you missed with your regular expression a few points:

  • The usual method of 'breaking out' from the SQL string involves unescaped single-quote characters.
  • /**/ is a separator but not a space.

And you should not fix that regular expression. As others have answered, this approach of filtering input is perilous. At the very least, you could call the mysql_real_escape_string() recommended by Cletus.

However, jishi and Mark Byers have the best answer: use parameterized SQL queries rather than constructing SQL queries out of string manipulation. This approach is infallible compared to processing the input data to escape needed characters.

Please accept jishi or Mark Byers' answers as they were earliest and most correct.

Heath Hunnicutt
+2  A: 

Never use regular expressions to filter out SQL string - you will fail miserably. Use prepared statements instead. Here's an example when using PDO:

$sql = "
    SELECT * FROM users
    WHERE login = :l AND password = :p
";
$pdo = new PDO($dsn, $dbUser, $dbPassword);
$stmt = $pdo->prepare($sql);
$stmt->bindValue('l', $_POST['login']);
$stmt->bindValue('p', md5($_POST['password']));
$stmt->execute();
print_r($stmt->fetch());

This may look like considerably more typing, but it is the only safe way of sanitizing SQL strings. And, anyway, you should be using some sort of Relational Mapper to hide low-level database operations (aka the boring stuff).

Read more on PDO, prepared statements and bound values on php.net.

Michał Rudnicki