Will this regex patterns catch all the needed SQL injections?

We changed our firewall rules (REGEX) to the following:

Name Type Context Severity Pattern CS:select_into signature http-url critical .*\[select\]\s+.*\[into\].* CS:select_from signature http-url critical .*\[select\]\s+.*\[from\].* CS:insert_into signature http-url critical .*\[insert\]\s+.*\[into\].* CS:drop_database signature http-url critical .*\[drop\]\s+.*\[database\].* CS:drop_table signature http-url critical .*\[drop\]\s+.*\[table\].* CS:delete_from signature http-url critical .*\[delete\]\s+.*\[from\].* CS:drop_view signature http-url critical .*\[drop\]\s+.*\[view\].* CS:exec signature http-url critical .*\[exec\].*(%28|\().*(%29|\)).* CS:update_set signature http-url critical .*\[update\](%20|\+)(%20|\+|.)*\[set\].*

Will this block all SQL injection attempts? For example, is it possible to drop a view using multiple spaces?

-------------Problems Reply------------

A blacklist is the wrong approach. There will always be things you haven't thought of, which the attacker will think of.

What programming language / database are you using? They all have methods of passing parameters to SQL statements. For example:

String userName = .... ; // from your GET or POST parameter
String sql = "SELECT id FROM user where user_name=?";
ResultSet rs = executeSql(sql, userName);

See http://en.wikipedia.org/wiki/SQL_injection#Parameterized_statements

Trying to prevent sql injection by filtering out certain words is not going to work - there will always be something you miss and will be very time consuming to try and find everything to cover.

You should look at things like how you query the database - if you're building SQL on the fly and concatenating values from the client directly into the statement, then that's going to be an important area to focus on - switch to using parameterised SQL / stored procedures. Stored procedures will also give you an added layer of security as you can grant permissions to execute those without giving direct permissions on the underlying tables.

You should make sure that any SQL is only executed via a limited privileges account that has no permissions except those the app explicitly needs, rather than attempt to catch every possible permutation of hostile SQL.

You shouldn't use regex for input filtering.

You should filter your input one by one before you give them to the sql server.

If you insert a string (or anything wich is between apostrophes in the sql statement) you should use your sql server's escape function, wich will prevent any attacks there.

If your data is some type of number (integer or float) then you should check if the data is really a number (you can't do sql injection without letters). The best way to do this depends on the programming language you use, but mostly type checks, or forced typecastings.

You should never insert any untrusted(anything is from a user is untrusted) string-like data into an sql statemen, where you can't place apostrophes around it, like for a table or a column name.

Category:regex Views:0 Time:2010-10-22

Related post

  • RegEx pattern to validate String 2012-04-30

    Let me make my question Simple what I want is I am using white list Regex pattern to avoid xss and sql injection so as my allowed character in string is [A-Za-z0-9,()[]{}\"\:./_\s] and I want to restrict occurrence of -- in any coming request from cl

  • Is Regex pattern a simple text or a rule? 2009-02-27

    Is there any relatively simple way to recognize Regex pattern as simple text or as a rule? One example. @"[A-Z0-9]" - is a rule, and @"\\[A-Z0-9\\]" is a plain simple text (C# string syntax) --------------Solutions------------- Short of detecting ' [

  • RegEx pattern not showing matches 2010-06-29

    I have the following code: public void DriveRecursion(string retPath) { string pattern = @"[~#&!%\+\{\}]+"; Regex regEx = new Regex(pattern); string[] fileDrive = Directory.GetFiles(retPath, "*.*", SearchOption.AllDirectories); List<string>

  • An invalid regex pattern 2011-08-17

    I have a piece of code in c# that checks if a value is a valid regex pattern. Code is straight forward: try { System.Text.RegularExpressions.Regex.IsMatch("", pattern); } catch (Exception) { return "pattern matches must be a valid regex value"; } I'm

  • Regex: Pattern matching a Multiline Input 2012-02-06

    Im looking for a Regex Pattern to verify that my HTML-Input has the right structure and (probably in a second step) extract some information from it. Example Inputtext: <title>Example Title</title><br /> <link>Download:</li

  • Java - Need some help on a Regex pattern for matching both http and https 2012-03-09

    I'm struggling with getting my regex pattern to match. Here are my requirements... Match the following domain ex, (google.com) with both http and https. I have an array list of various URL's.... http://stackoverflow.com/questions/ask https://ask.com/

  • I'm having problems with Regex patterns 2012-04-07

    I need help with a proxy scraper I am making. My application is throwing an exception for seemingly no reason. My Code package com.ElwynDev.PastBinBot; import java.io.IOException; import java.util.HashSet; import java.util.regex.Matcher; import java.

  • What is the regex pattern for datetime (2008-09-01 12:35:45 )? 2008-09-01

    What is the RegEx pattern for DateTime (2008-09-01 12:35:45 ) ? I get this error: No ending delimiter '^' found Using: preg_match('(?n:^(?=\d)((?<day>31(?!(.0?[2469]|11))|30(?!.0?2)|29(?(.0?2)(?=.{3,4}(1[6-9]|[2-9]\d)(0[48]|[2468][048]|[13579][

  • Is there a way in python to apply a list of regex patterns that are stored in a list to a single string? 2009-01-26

    i have a list of regex patterns (stored in a list type) that I would like to apply to a string. Does anyone know a good way to: Apply every regex pattern in the list to the string and Call a different function that is associated with that pattern in

  • Java - how to match regex Pattern containing single quotes? 2009-06-07

    [EDITED - really sorry, the code I quoted was wrong - have changed the message below to reflect this. Apologies! Thank you for your patience.] I'm new to regular expressions and want to match a pattern in Java (following on from this solution - http:

  • Javascript regex pattern 2009-06-11

    I have a combo box and input box. If I enter any letter in input box then all the words or sentence that match with that letter should display in the combo box assuming that a list of words or sentence contain in the list. ex1:) input box: a combo bo

  • How can I check if a regex pattern is valid in Perl? 2009-07-10

    Firstly, I was wondering if there was some kind of built in function that would check to see if a regex pattern was valid or not. I don't want to check to see if the expression works - I simply want to check it to make sure that the syntax of the pat

  • Is there a PHP function that can escape regex patterns before they are applied? 2009-10-07

    Is there a PHP function that can escape regex patterns before they are applied? I am looking along the lines of the C# Regex.Escape() function. --------------Solutions------------- preg_quote() is what you are looking for: preg_quote() takes str and

  • Regex pattern to return text from within parenthesis 2009-10-12

    I am looking for a regex pattern that will return me the contents of the first set of parenthesis in a string. For example, text text text text (hello) text (hello2) (hello3) text will return "hello" Does anyone know what the pattern looks like for c

  • Need regex pattern to capture pieces of formula 2009-11-10

    I need to extend a regex pattern in C#. The current pattern is capturing any multiplication or division in the formula: ([\+-]?\d+,*\d*[eE][\+-]?\d+|[\-\+]?\d+,*\d*)([\/\*])(-?\d+,*\d*[eE][\+-]?\d+|-?\d+,*\d*) That means that if the expression is e.g

  • Regex Pattern Matching 2009-11-19

    Possible Duplicate: Regex Pattern for a File Name A user can put a file in the server if the file name matches the following criteria: It has to be abc or it should start with abc, then a dot, and a number. Valid file names: abc abc.2344 abc.111 Inva

  • Regex pattern help wanted 2009-11-27

    The raw string is like this: {\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\froman\fcharset0 Times New Roman;}{\f1\fnil\fcharset0 MS Shell Dlg 2;}} \viewkind4\uc1\pard\sb100\sa100\f0\fs24\u30340?\u27494?\u35013?\u20998?\u23376?\u65292?23\u260

  • No digits Java Regex Pattern 2009-12-24

    hi I want a regex pattern to check that the string doesn't contain any digits . For Illustration : I'm coding a Hospital System and I want from user to enter the name of the patient , Of course the name shouldn't contain any digits , how can I do thi

  • Regex help: My regex pattern will match invalid strings 2010-01-01

    i really like Regex, unfortantly Im not that good at it yet. So therfore I hope you guys can help me out. The text string I want to validate consists of what I call "segments". A single segment might look like this: [A-Z,S,3] So far I managed to buil

Copyright (C) dskims.com, All Rights Reserved.

processed in 0.079 (s). 11 q(s)