Will this regular expression ^[^\s]+$ prevent SQL injection? if No how to get around the restriction?
used to check user input like use开发者_如何学Pythonrname not a login account.
No, your regexp wouldn't help with SQL injection much at all, I am sorry. Let's look at some SQL injection:
First, suppose you create your SQL commands as strings, such as the following:
snprintf( sqlcommand, dimensionof(sqlcommand), "INSERT INTO users (username, password) VALUES ('%s', '%s')", username, password );
The concern with SQL injection is that the user can create an input value (username or password in this case) which causes the generated SQL command to do something other than intended. For example, if the username were "aardvark','f');DROP/**/TABLE/**/users;--", then the SQL statement generated would become:
INSERT INTO users (username, password) VALUES ('aardvark','f');DROP/**/TABLE/**/users;--', 'password_value')
So, you missed with your regular expression a few points:
- The usual method of 'breaking out' from the SQL string involves unescaped single-quote characters.
- /**/ is a separator but not a space.
And you should not fix that regular expression. As others have answered, this approach of filtering input is perilous. At the very least, you could call the mysql_real_escape_string()
recommended by Cletus.
However, jishi and Mark Byers have the best answer: use parameterized SQL queries rather than constructing SQL queries out of string manipulation. This approach is infallible compared to processing the input data to escape needed characters.
Please accept jishi or Mark Byers' answers as they were earliest and most correct.
Not sure why you'd want to find a regular expression that should prevent SQL injection when you can in fact use a function designed specifically to prevent SQL injection, namely mysql_real_escape_string()
.
Now you might want to limit characters (type and/or number) in your usernames but that's an entirely separate issue. Or at least it should be.
No. To prevent SQL injection don't use strings to build your query. Use parameters.
Read up on prepared statements. That's one of the best way to avoid SQL-injection. It's supported in mysqli for PHP and in ADO.NET.
Never use regular expressions to filter out SQL string - you will fail miserably. Use prepared statements instead. Here's an example when using PDO:
$sql = "
SELECT * FROM users
WHERE login = :l AND password = :p
";
$pdo = new PDO($dsn, $dbUser, $dbPassword);
$stmt = $pdo->prepare($sql);
$stmt->bindValue('l', $_POST['login']);
$stmt->bindValue('p', md5($_POST['password']));
$stmt->execute();
print_r($stmt->fetch());
This may look like considerably more typing, but it is the only safe way of sanitizing SQL strings. And, anyway, you should be using some sort of Relational Mapper to hide low-level database operations (aka the boring stuff).
Read more on PDO, prepared statements and bound values on php.net.
To prevent SQL injection, you should use parameters rather than putting user input directly into the SQL. Alternatively, you can use some object-relational mapper which also does this internally.
That way, you do not need to care about "evil" characters in user input. (Of course, doing additional validation of user input won't hurt.)
精彩评论