用于检测 WinForms 中 SQL 注入的正则表达式
我想要缓存输入,这看起来就像 SQL 注入。所以我写了这个方法:
public static bool IsInjection(string inputText)
{
bool isInj = false;
string regexForTypicalInj = @"/\w*((\%27)|(\'))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/ix";
Regex reT = new Regex(regexForTypicalInj);
if (reT.IsMatch(inputText))
isInj = true;
string regexForUnion = @"/((\%27)|(\'))union/ix";
Regex reUn = new Regex(regexForUnion);
if (reUn.IsMatch(inputText))
isInj = true;
string regexForSelect = @"/((\%27)|(\'))select/ix";
Regex reS = new Regex(regexForSelect);
if (reS.IsMatch(inputText))
isInj = true;
string regexForInsert = @"/((\%27)|(\'))insert/ix";
Regex reI = new Regex(regexForInsert);
if (reI.IsMatch(inputText))
isInj = true;
string regexForUpdate = @"/((\%27)|(\'))update/ix";
Regex reU = new Regex(regexForUpdate);
if (reU.IsMatch(inputText))
isInj = true;
string regexForDelete = @"/((\%27)|(\'))delete/ix";
Regex reDel = new Regex(regexForDelete);
if (reDel.IsMatch(inputText))
isInj = true;
string regexForDrop = @"/((\%27)|(\'))drop/ix";
Regex reDr = new Regex(regexForDrop);
if (reDr.IsMatch(inputText))
isInj = true;
string regexForAlter = @"/((\%27)|(\'))alter/ix";
Regex reA = new Regex(regexForAlter);
if (reA.IsMatch(inputText))
isInj = true;
string regexForCreate = @"/((\%27)|(\'))create/ix";
Regex reC = new Regex(regexForCreate);
if (reC.IsMatch(inputText))
isInj = true;
return isInj;
}
但似乎我犯了一些错误,因为我的代码没有检测到注入。我做错了什么?我猜定义正则表达式有问题吗?
i uwant to cach input, which seems to be like SQL injection. So I wrote the method:
public static bool IsInjection(string inputText)
{
bool isInj = false;
string regexForTypicalInj = @"/\w*((\%27)|(\'))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/ix";
Regex reT = new Regex(regexForTypicalInj);
if (reT.IsMatch(inputText))
isInj = true;
string regexForUnion = @"/((\%27)|(\'))union/ix";
Regex reUn = new Regex(regexForUnion);
if (reUn.IsMatch(inputText))
isInj = true;
string regexForSelect = @"/((\%27)|(\'))select/ix";
Regex reS = new Regex(regexForSelect);
if (reS.IsMatch(inputText))
isInj = true;
string regexForInsert = @"/((\%27)|(\'))insert/ix";
Regex reI = new Regex(regexForInsert);
if (reI.IsMatch(inputText))
isInj = true;
string regexForUpdate = @"/((\%27)|(\'))update/ix";
Regex reU = new Regex(regexForUpdate);
if (reU.IsMatch(inputText))
isInj = true;
string regexForDelete = @"/((\%27)|(\'))delete/ix";
Regex reDel = new Regex(regexForDelete);
if (reDel.IsMatch(inputText))
isInj = true;
string regexForDrop = @"/((\%27)|(\'))drop/ix";
Regex reDr = new Regex(regexForDrop);
if (reDr.IsMatch(inputText))
isInj = true;
string regexForAlter = @"/((\%27)|(\'))alter/ix";
Regex reA = new Regex(regexForAlter);
if (reA.IsMatch(inputText))
isInj = true;
string regexForCreate = @"/((\%27)|(\'))create/ix";
Regex reC = new Regex(regexForCreate);
if (reC.IsMatch(inputText))
isInj = true;
return isInj;
}
But seems I have done some mistakes, becouse my code do not detects injections. What i do wrong? I guess theres something wrong in defining Regex expressions?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
不要尝试使用正则表达式来做到这一点 - 有太多方法可以解决它。请参阅这个关于使用正则表达式解析的经典SO答案 -它特定于 HTML,但仍然适用。
您应该使用参数,这些位于BCL中并且具有反SQL内置注入措施。
更新:(以下注释)
如果您确实必须解析 SQL,请不要使用 RegEx,原因如链接文章中所述。 RegEx 不是解析器,不应该被用作解析器。
使用 SQL 解析器 - 这应该有助于清理尝试。这是一个,这里另一个。
您可以用这些继续您的科学研究。
Don't try to do this with RegEx - there are too many ways around it. See this classic SO answer about parsing with RegEx - it is specific to HTML, but still applies.
You should use Parameters, these are in the BCL and have anti SQL injection measures built in.
Update: (following comments)
If you really must parse the SQL, do not use RegEx for the reasons outlined in the linked article. RegEx is not a parser and should not be used as one.
Use a SQL parser - this should help with sanitizing attempts. Here is one, here another.
You can continue your scientific investigation with these.
不要使用字符串解析或正则表达式来处理此类事情。 SQL 语法太复杂,无法使用正则表达式进行可靠解析。
相反,使用带有占位符的参数化查询并完全避免字符串连接。这将从根本上击败 SQL 注入。
Do not use string parsing or regular expressions to handle this sort of thing. SQL syntax is too complicated to reliably parse with regular expressions.
Instead use parametrized queries with placeholders and avoid string concatenation altogether. This will defeat SQL injection at its root.
如果你真的想帮助你的“经验不足的程序员”,你最好尝试检测他们何时在代码中执行内联 sql。编写 FxCop 规则来发现它应该不会太困难。如果您将其作为构建后流程的一部分,或者如果您有团队系统,则设置构建失败的规则,他们很快就会掌握窍门。
If you really want to help out your "not so experienced programmers", you'd be better off trying to detect when they are doing inline sql in their code. It shouldn't be too difficult to write an FxCop rule to spot it. If you include it as part of a post build process, or if you have team system, set the rule to fail the build, they'll soon get the hang of it.
SQL 注入的问题在于,用户输入被用作 SQL 语句的一部分。通过使用准备好的语句,您可以强制将用户输入作为参数的内容进行处理(而不是作为 SQL 命令的一部分)。查询参数通过将文字值与 SQL 语法分开来帮助避免这种风险。
大多数客户端 API(包括 .NET)都支持查询参数化。这允许将用户输入作为参数嵌入。这些参数是用户输入值的占位符,该值在执行时被替换。这样用户就无法注入 SQL 代码,因为整个用户条目被视为参数的值,而不是附加到查询的字符串。
参数化是应对SQL注入攻击的最佳解决方案。
The problem with SQL injection is, that a user input is used as part of the SQL statement. By using prepared statements you can force the user input to be handled as the content of a parameter (and not as a part of the SQL command). Query parameters help to avoid this risk by separating literal values from the SQL syntax.
Most client APIs (including .NET) support parameterization of queries. This allows embedding the user input as parameters. The parameters are placeholders for user entered value which is replaced at execution time. That way the user cannot inject SQL code as the whole user entry is treated as value for the parameter, not as string appended to the query.
parameterization is the best solution for SQL injection attacks.