Regular Expression to check for Oracle reserved words and special characters & sql injection attacks
-
Hi I have searched the internet and I have been able to find a regular expression that stops users from inputting into a text box words that Oracle uses as reserved words, or characters that it considers special to it unless they are enclosed in quotes along with a regular expression that detects sql injection attacks. Can anyone help?
-
Hi I have searched the internet and I have been able to find a regular expression that stops users from inputting into a text box words that Oracle uses as reserved words, or characters that it considers special to it unless they are enclosed in quotes along with a regular expression that detects sql injection attacks. Can anyone help?
Use parameterised queries, unless there is a good reason not to. If there is a good reason not to, escape input on the server side when making up the query. Validating input fields in this way is one of the worst ways to prevent attacks (because it stops users entering legitimate information).
-
Use parameterised queries, unless there is a good reason not to. If there is a good reason not to, escape input on the server side when making up the query. Validating input fields in this way is one of the worst ways to prevent attacks (because it stops users entering legitimate information).
We are in a way undertaking a parameterised queries. I am actually building a query tool in wpf and restricting what sort of queries a user can run. All I am trying to do is where a user sets a constraint, such name like = 'Bob', that they cannot enter a reserved word or use it to launch an attack. This is why I am looking for a regular expression!
-
Hi I have searched the internet and I have been able to find a regular expression that stops users from inputting into a text box words that Oracle uses as reserved words, or characters that it considers special to it unless they are enclosed in quotes along with a regular expression that detects sql injection attacks. Can anyone help?
If you are using PHP at the front end this is a very helpful tutorial: Clickety[^] The generally accepted advice is to escape non alphanumeric characters in text entry boxes and
mysql_real_escape_string()
should do the job for you if it is PHP at the front end...
Continuous effort - not strength or intelligence - is the key to unlocking our potential.(Winston Churchill)
-
If you are using PHP at the front end this is a very helpful tutorial: Clickety[^] The generally accepted advice is to escape non alphanumeric characters in text entry boxes and
mysql_real_escape_string()
should do the job for you if it is PHP at the front end...
Continuous effort - not strength or intelligence - is the key to unlocking our potential.(Winston Churchill)
It is WPF or windows presentation foundation in c# with an Oracle 10g database not php and mysql
-
Hi I have searched the internet and I have been able to find a regular expression that stops users from inputting into a text box words that Oracle uses as reserved words, or characters that it considers special to it unless they are enclosed in quotes along with a regular expression that detects sql injection attacks. Can anyone help?
-
It is WPF or windows presentation foundation in c# with an Oracle 10g database not php and mysql
Check this out: oracle_sql_injection_attacks[^] It is also the responsibility of the DBA to ensure that, whatever you pass in to Oracle, you are not able to create an injection attack - so talk this over with the DBA too.
Continuous effort - not strength or intelligence - is the key to unlocking our potential.(Winston Churchill)
-
We are in a way undertaking a parameterised queries. I am actually building a query tool in wpf and restricting what sort of queries a user can run. All I am trying to do is where a user sets a constraint, such name like = 'Bob', that they cannot enter a reserved word or use it to launch an attack. This is why I am looking for a regular expression!
But what if the user's name includes a banned character (e.g. O'Donnell)? I'm sure there are a few people with surnames that are database reserved words, too. This is why you should escape whatever is passed to you so it isn't an injection string, not 'validate' in such a way that legitimate user input is excluded. Producing a safe SQL string is relatively easy if what you're escaping is always going to be a quoted parameter, you need to escape quotes, and a good idea to do semicolons for paranoia too.
-
Check this out: oracle_sql_injection_attacks[^] It is also the responsibility of the DBA to ensure that, whatever you pass in to Oracle, you are not able to create an injection attack - so talk this over with the DBA too.
Continuous effort - not strength or intelligence - is the key to unlocking our potential.(Winston Churchill)
We have already done this, but what we are doing is creating a query tool that runs against a query database that is copy of the main database. The users queries run against some views, because the users can create any number of combination of queries against these views it is not possible to binding or any of the usual stuff. Therefore, we have to be as flexible as possible. We control what they can select on and join on with the views but we cannot control their constraints such "name Like "Bob". Therefore, it is imperative for me to have away of stopping "Bob; 'DROP TABLE'" type situations.
-
We have already done this, but what we are doing is creating a query tool that runs against a query database that is copy of the main database. The users queries run against some views, because the users can create any number of combination of queries against these views it is not possible to binding or any of the usual stuff. Therefore, we have to be as flexible as possible. We control what they can select on and join on with the views but we cannot control their constraints such "name Like "Bob". Therefore, it is imperative for me to have away of stopping "Bob; 'DROP TABLE'" type situations.
Hi, Just wanted to let you know that it is not me down-voting you comments. I hope you find a solution, when you do let us know :)
Continuous effort - not strength or intelligence - is the key to unlocking our potential.(Winston Churchill)