ansaurus

Question

Will this regex patterns catch all the needed SQL injections?

Answer 1

+19 A:

A blacklist is the wrong approach. There will always be things you haven't thought of, which the attacker will think of.

What programming language / database are you using? They all have methods of passing parameters to SQL statements. For example:

String userName = .... ; // from your GET or POST parameter
String sql = "SELECT id FROM user where user_name=?";
ResultSet rs = executeSql(sql, userName);

See http://en.wikipedia.org/wiki/SQL_injection#Parameterized_statements

Adrian Smith 2010-10-22 11:20:47

+1 if you're being defensive then you don't blacklist

annakata 2010-10-22 11:21:56

+1 well said, and beat me to it

AdaTheDev 2010-10-22 11:26:35

The blacklist is just an addon to our excisting security. We have implemented more way to prevent this type of hacking. One of our layers is this one, and we noticed that even if we have our other security layers this one stops certain dangerous inputs.

Younes 2010-10-22 13:18:10

Answer 2

+2 A:

Trying to prevent sql injection by filtering out certain words is not going to work - there will always be something you miss and will be very time consuming to try and find everything to cover.

You should look at things like how you query the database - if you're building SQL on the fly and concatenating values from the client directly into the statement, then that's going to be an important area to focus on - switch to using parameterised SQL / stored procedures. Stored procedures will also give you an added layer of security as you can grant permissions to execute those without giving direct permissions on the underlying tables.

AdaTheDev 2010-10-22 11:24:31

Answer 3

+1 A:

You shouldn't use regex for input filtering.

You should filter your input one by one before you give them to the sql server.

If you insert a string (or anything wich is between apostrophes in the sql statement) you should use your sql server's escape function, wich will prevent any attacks there.

If your data is some type of number (integer or float) then you should check if the data is really a number (you can't do sql injection without letters). The best way to do this depends on the programming language you use, but mostly type checks, or forced typecastings.

You should never insert any untrusted(anything is from a user is untrusted) string-like data into an sql statemen, where you can't place apostrophes around it, like for a table or a column name.

mimrock 2010-10-22 11:31:35

Answer 4

A:

You should make sure that any SQL is only executed via a limited privileges account that has no permissions except those the app explicitly needs, rather than attempt to catch every possible permutation of hostile SQL.

CodeByMoonlight 2010-10-22 11:55:24

Well, that's not actually possible in real apps. For example, you might want your app to be able to update a user's balance. You probably don't want to allow it to be tricked into updating that balance to $1M. Privilege restrction won't get you that.

Gaius 2010-10-22 12:18:52

Updates should be more heavily controlled and where possible done under a separately authenticated account. There should be no scope for an account exposed to the possibility of dynamic sql having the permissions to do the commands the OP is trying to block with RegEx. There should be no privileges above the minimum that the app requires.

CodeByMoonlight 2010-10-22 16:17:21

ansaurus

tags:

views:

answers:

Will this regex patterns catch all the needed SQL injections?

related questions