正则表达式:匹配不带双引号的sql参数
我正在处理 SQL 注入,我需要用 cfquerparam 标签替换 Coldfusion 查询标签中的 sql 参数。 为此,我匹配任何看起来像以下参数的东西:
select * from table
where
test = #var2#,
test ='#var3#'
test2 like '%#test#%'
test3 like '%#test#'
test4 like '#test#%'
但不是
<cfqueryparam value="#test123#">
我当前的正则表达式是:
[%']?#([^#]*)#['%]?
这当前将找到所有sql参数,但也会找到cfqueryparam中的test123。 我需要做的,以及我没有成功的地方,是排除用双引号括起来的 #param# 。 所以,没有 "#test123#" 但所有的都很好。
我尝试在其前面添加 [^"]? ,但随后它也开始选择匹配项前面的其他字符。后面也会发生同样的情况。
有人对此有解决办法吗?
I am dealing with an SQL injection and I need to replace sql params in coldfusion querytags by cfquerparam tags.
For this I am matching anything that looks like the params in this:
select * from table
where
test = #var2#,
test ='#var3#'
test2 like '%#test#%'
test3 like '%#test#'
test4 like '#test#%'
but not
<cfqueryparam value="#test123#">
The current regex I have is:
[%']?#([^#]*)#['%]?
This will currently find all sql params, but also the test123 in the cfqueryparam.
What I need to do, and where I am not succeeding, is exclude #param# surrounded by double quotes.
So, no "#test123#" but all the ones are fine.
I tried adding [^"]? in front of it, but then it also starts selecting others characters in front of the match. Same happens in the back.
Does anyone have a fix for this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
您想要使用 cfqueryparam,这将绑定参数并防止任何类型的 SQL 注入。
http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-7f6f.html
您实际上可以在标签内使用 % ,如下所示:
You want to use cfqueryparam, this will bind the parameters and prevent any kind of SQL injection.
http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-7f6f.html
You can actually use the % inside the tag as such:
在我看来,你只是不想要?在[^"]?
这对我有用:
[%'][^"]?#([^#]*)#['%]?seems to me that you just don't want the ? in [^"]?
This works for me:
[%'][^"]?#([^#]*)#['%]?是的,谢谢。
我确实需要稍微改变一下,这个非常适合我:
[%']?[^"]#([^#]*)#['%]?
在这个例子中:
select *, '#attrivutes.表中的名称#'
在哪里
测试=#var2#,
测试='#var3#'
test2 类似于 '%#test#%'
test3 类似于 '%#test#'
test4 就像'#test#%'
(将其放入http://www.regextester.com/)
唯一的小问题是它也捕获了#var2# 前面有空格,但目前这不是一个大问题。如果有人知道如何解决这个问题,我将非常乐意从中学习。
Yes, thanks.
I did need to alter it a bit, this one works perfect for me:
[%']?[^"]#([^#]*)#['%]?
on this example:
select *, '#attrivutes.name#' from table
where
test = #var2#,
test ='#var3#'
test2 like '%#test#%'
test3 like '%#test#'
test4 like '#test#%'
(drop it in http://www.regextester.com/)
Only minor issue is that it also catches the space infront of #var2#, but that is not a big issue for now. If anyone knows how to fix that, I would be very happy to learn from it.
嗯,这个似乎更完整一点:
[']?[%]?[^"]#([^#]*)#[%]?[']?
将 ['%]? 分隔成 [ ']?[%]? 似乎更好,否则它删除了语句中的逗号
插入 bla (col1, col2)
值 ('#val1#','#val2#')
hmmm, this one seems to be a bit more complete:
[']?[%]?[^"]#([^#]*)#[%]?[']?
separating the ['%]? into [']?[%]? seem to be better, otherwise it removed a comma in the statement
insert into bla (col1, col2)
values ('#val1#','#val2#')