避免在用户生成的SQL正则表达式中进行SQL注入 [英] Avoiding SQL injection in a user-generated SQL-regex

问题描述

我正在创建一个站点，不幸的是，用户必须在该站点中提供要在MySQL WHERE子句中使用的正则表达式.当然，我必须验证用户输入以防止SQL注入.该网站是用PHP制作的，我使用以下正则表达式检查我的正则表达式:

I'm creating a site where the user unfortunately has to provide a regex to be used in a MySQL WHERE clause. And of course I have to validate the user input to prevent SQL injection. The site is made in PHP, and I use the following regex to check my regex:

/^([^\\\\\']|\\\.)*$/

由于PHP处理正则表达式的方式而导致两次转义. 它应该起作用的方式是只匹配安全的正则表达式，而没有转义的单引号.但是我主要是自学成才，所以我想知道这是否是一种安全的方法.

This is double-escaped because of PHP's way of handling regexes. The way it's supposed to work is to only match safe regexps, without unescaped single quotes. But being mostly self-taught, I'd like to know if this is a safe way of doing it.

推荐答案

如果使用准备好的语句，则将无法进行SQL注入.您应该始终使用准备好的语句.

If you use prepared statements, SQL injection will be impossible. You should always use prepared statements.

罗伯(Roborg)对于昂贵的正则表达式提出了一个很好的观点.

Roborg makes an excellent point though about expensive regexes.

这篇关于避免在用户生成的SQL正则表达式中进行SQL注入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！