What pattern to check on an SQL query for possible injection?


What pattern to check on an SQL query for possible injection?



I want to detect possible SQL injection atack by checking the SQL query. I am using PDO and prepared statement, so hopefully I am not in the danger of getting attacked by someone. However, what I want to detect is the possibility of input/resulting query string that may become a dangerous query. For example, my app--properly--will never generate "1=1" query, so I may check the generated query string for that, and flag the user/IP producing that query. Same thing with "drop table", but maybe I can check only by looping the input array; or maybe I should just check to the generated query all over again. I am using MySQL, but pattern for other drivers are also appreciated.



I have read RegEx to Detect SQL Injection and some of the comments are heading in this direction. To my help, I'm developing for users that rarely use English as input, so a simple /drop/ match on the query may be enough to log the user/query for further inspection. Some of the pattern I found while researching SQL injection are:



All of the above are easier to detect by looping the input values before the query string is generated because they haven't been escaped. But how much did I miss? (a lot, I guess) Any other obscure pattern I should check? What about checking the generated query? Any pattern that may emerge?



tl;dr: What pattern to match an SQL query (MySQL) to check for possible injection? I am using PDO with prepared statement and value binding, so the check is for logging/alert purposes.





Use parameters. Then you don't need to worry about SQL injection.
– Gordon Linoff
Jun 30 at 13:35





The answer is the same as the one from your link: "Don't do it. You're practically guaranteed to fail. Use PreparedStatement (or its equivalent) instead."
– Paul Spiegel
Jun 30 at 13:49





I'm not too wory about the injection. What I want to know is if any user is trying to "inject" the app.
– D. Base
Jun 30 at 15:32





3 Answers
3



In my shop we have two rules.


intval()


Jones


O'Brien


St. John-Smythe


'


-


.



If 2 is too hard follow rule 1.



We inspect code to make sure we're doing these things.





I follow rule 1. That's not the point, though. What I want to do is to log those who are attempting to do sql injection, so I was thinking to check the input against some known injection pattern so I can mark those users; checkng the input is wee bit too cumbersome as in double loops before sanitizing, while query checking is simpler because I can hook right before/after query execution.
– D. Base
Jun 30 at 18:17



But how much did I miss?



You guess right. Creating a huge blacklist wouldn't make your code immune. This approach is history. The other questions follow the same idea.



Your best bets are:



Few steps but bulletproof.





I'm not trying to blacklist query. I want to know if there's any of the user is trying to.
– D. Base
Jun 30 at 15:36





That's called blacklisting.
– revo
Jun 30 at 16:10





I was thinking blacklisting would make the app reject the query. Anyway, the query, especially the description-like text input will not reject the user's input, but I want the app to log the user writing that kind of input. And, yes, all inputs use prepared statements and parameter binding for the query itself.
– D. Base
Jun 30 at 17:41



Not possible.



You will spend the rest of your life in an armament race -- you build a defense, they build a better weapon, then you build a defense against that, etc, etc.


SELECT


root


SET


LOAD DATA



Instead, decide on the minimal set of queries you allow, then parameterize that so you can check, or escape, the pieces individually. Then build the query.






By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

-

Popular posts from this blog

PySpark - SparkContext: Error initializing SparkContext File does not exist

Image
PySpark - SparkContext: Error initializing SparkContext File does not exist I have small piece code in PySpark, but I keep getting errors. I'm new to this so im not sure where to start. from pyspark import SparkContext, SparkConf conf = SparkConf().setAppName("Open json").setMaster("local[3]") sc = SparkContext(conf = conf) print("Done") I ran this in cmd with the command : spark-submit .PySparkOpen.py I then get the following error statement: C:UsersAbdullahDocumentsMaster Thesis>spark-submit .PySparkOpen.py 18/06/30 15:21:58 WARN NativeCodeLoader: Unable to load native-hadoop library for your platform... using builtin-Java classes where applicable 18/06/30 15:22:01 ERROR SparkContext: Error initializing SparkContext. java.io.FileNotFoundException: File file:/C:/Users/Abdullah/Documents/Master%20Thesis/PySpark/Open.py does not exist at org.apache.hadoop.fs.RawLocalFileSystem.deprecatedGetFileStatus(RawLocalFileSystem.java:611) at...
Read more

List of Kim Possible characters

Image
From left to right: Wade (on monitor screen), Dr. James Timothy Possible, Mrs. Dr. Ann Possible, Ron, Rufus, Kim Possible, Shego, Dr. Drakken, Monkey Fist, Señor Senior Sr., Adrena Lynn, and Señor Senior Jr. This is a list of characters appearing in the animated series Kim Possible . Team Possible Kim Possible Main article: Kim Possible (character) Voiced by: Christy Carlson Romano and Dakota Fanning (Preschool Kim; Kim Possible: A Sitch In Time ) Kimberly Ann “Kim” Possible is a crime fighter and high school cheerleading captain who saves the world on a regular basis while dealing with the normal challenges of being a teenager, such as winning cheer competitions, turning in her homework on time, and maintaining a love life. Her name is a play on the word “impossible.” Kim has known Ron Stoppable, her sidekick for most missions, since preschool. She has also completed missions with Wade, Monique, her brothers, and even her mother. In season four, Kim and Ron end up developing romanti...
Read more

Python Tkinter Error, “Too Early to Create Image”

Python Tkinter Error, “Too Early to Create Image” So I have an assignment that I have to use Tkinter to create a board game. This is just one part of the program where I want to bring in the image of the board. But I keep on getting the error, "Too early to create image" and I'm not sure what I'm doing wrong. Here's my code so far: from Tkinter import * from pprint import pprint # Which variable is currently updating from variableColors import Variables VariableIndex = 0 VariableText = Variables[VariableIndex] Ids = None # Current canvas ids of the text and 4 player tokens: # Will be None if not committed VariableCoords = { } # Where store variable and coordinates im = PhotoImage(file="C:UsersKikiDesktopAssignment\") photo = can.create_image(0,0,anchor=NW, image=im) can.pack() root.mainloop() Any help would be appreciated. Thanks :) 1 Answer ...
Read more