|
 |  |  |  |  |  |  |
| Welcome to Windows Vista Forums. Our forum is dedicated to helping you find solutions with any problems, errors or issues you are experiencing with Windows Vista. The Vista forum also covers news and updates and has an extensive Windows Vista tutorial section that covers a wide range of tips and tricks. |
| |||||||
 |
| |
06-02-2009
| #1 (permalink) |
| | Regular Expression help C# Guys, maybe you can help. I have a method that basically parses any string sent to it to ensure patterns that could be interpreted as a possible SQL injection do not exists before send the data to the database. One of the requirements is that it must look for any of the common words for SQL - UPDATE, INSERT, DELETE, etc and remove them. Now I need it to keep the words in the string, but check to make sure there are no spaces after the potential command SELECT [unknown number of spaces after the 'SELECT' need to be removed while maintaining any other words that follow ie: SELECT [unknown spaces] the number of cards would now become SELECT|the number of cards I need a RegEx pattern in C# 1.1 that can look for key words containing AT LEAST ONE space after they key word and only the keyword and any following spaces with the pipe character. I have my pattern started, but I cannot seem to figure how to only apply this particular case above. Maybe Im just having a brain drain I dont know, but I cant get it to work. Some how I need a veriable in the expression Regex expression = new Regex(@"^\s*(.*?)\s*$", "$1"); -- JP ..NET Software Developer |
My System Specs |
|
06-02-2009
| #2 (permalink) |
| | Re: Regular Expression help C# JP wrote: Quote: > Guys, maybe you can help. > > I have a method that basically parses any string sent to it to ensure > patterns that could be interpreted as a possible SQL injection do not exists > before send the data to the database. One of the requirements is that it must > look for any of the common words for SQL - UPDATE, INSERT, DELETE, etc and > remove them. Now I need it to keep the words in the string, but check to make > sure there are no spaces after the potential command > > SELECT [unknown number of spaces after the 'SELECT' need to be removed while > maintaining any other words that follow > > ie: SELECT [unknown spaces] the number of cards would now become > SELECT|the number of cards > > I need a RegEx pattern in C# 1.1 that can look for key words containing AT > LEAST ONE space after they key word and only the keyword and any following > spaces with the pipe character. > > I have my pattern started, but I cannot seem to figure how to only apply > this particular case above. Maybe Im just having a brain drain I dont know, > but I cant get it to work. Some how I need a veriable in the expression > > Regex expression = new Regex(@"^\s*(.*?)\s*$", "$1"); String sOutput = Regex.Replace(sInput, "^\\s*(SELECT|INPUT|UPDATE)\\s+", ""); But I don't know exactly what you want to do. You cannot be sure to find all harmful commands. For example "/*Hello*/DROP/*You*/TABLE Bla". If you apply your data through "?"-Parameters or correctly quoted, nothing bad can happen. Markus |
| My System Specs |
|
06-02-2009
| #3 (permalink) |
| | Re: Regular Expression help C# On Tue, 2 Jun 2009 09:33:12 -0700, JP <JP@xxxxxx> wrote: Quote: >Guys, maybe you can help. > >I have a method that basically parses any string sent to it to ensure >patterns that could be interpreted as a possible SQL injection do not exists >before send the data to the database. One of the requirements is that it must >look for any of the common words for SQL - UPDATE, INSERT, DELETE, etc and >remove them. Now I need it to keep the words in the string, but check to make >sure there are no spaces after the potential command > >SELECT [unknown number of spaces after the 'SELECT' need to be removed while >maintaining any other words that follow > >ie: SELECT [unknown spaces] the number of cards would now become >SELECT|the number of cards > >I need a RegEx pattern in C# 1.1 that can look for key words containing AT >LEAST ONE space after they key word and only the keyword and any following >spaces with the pipe character. > >I have my pattern started, but I cannot seem to figure how to only apply >this particular case above. Maybe Im just having a brain drain I dont know, >but I cant get it to work. Some how I need a veriable in the expression > >Regex expression = new Regex(@"^\s*(.*?)\s*$", "$1"); Not only can't you think of all possible bad keywords, what if the keywords legitimately appear in data? |
| My System Specs |
|
06-02-2009
| #4 (permalink) |
| | Re: Regular Expression help C# Hello JP, Quote: > Guys, maybe you can help. > > I have a method that basically parses any string sent to it to ensure > patterns that could be interpreted as a possible SQL injection do not > exists before send the data to the database. One of the requirements > is that it must look for any of the common words for SQL - UPDATE, > INSERT, DELETE, etc and remove them. Now I need it to keep the words > in the string, but check to make sure there are no spaces after the > potential command > > SELECT [unknown number of spaces after the 'SELECT' need to be removed > while maintaining any other words that follow > > ie: SELECT [unknown spaces] the number of cards would now become > SELECT|the number of cards > > I need a RegEx pattern in C# 1.1 that can look for key words > containing AT LEAST ONE space after they key word and only the keyword > and any following spaces with the pipe character. > > I have my pattern started, but I cannot seem to figure how to only > apply this particular case above. Maybe Im just having a brain drain I > dont know, but I cant get it to work. Some how I need a veriable in > the expression > > Regex expression = new Regex(@"^\s*(.*?)\s*$", "$1"); right way, you should never have to worry about SQL injection. And it's faster too. The problem with using a regex here is that many valid pieces of text will contain words like update, delete, drop, insert, select, create, (trying to think of more from the top of my head)... the problem is, that there are more keywords that you could ever take into account, especially if you take database independency into account. The second is that I don't udnerstand why you'd want to remove spaces.... And trying to figure out what your expression does is also a bit of a struggle... it looks for any number of spaces, followed by anything other than a whitespace charecter, followed by any number of spaces... replacing it with just the stuff inbetween... that would simply remove all spaces from a file... A simple expression to remove all spaces except one is: "(\s)\1*" -> "$1", or even better: "\s+" -> " ". It would look for the whitespaces, not the words around them. -- Jesse Houwing jesse.houwing at sogeti.nl |
| My System Specs |
|
| Thread Tools | |
| |
Similar Threads | ||||
| Thread | Forum | |||
| regular expression capture | PowerShell | |||
| Regular Expression for ../ | .NET General | |||
| Help with a regular expression | VB Script | |||
| regular expression help | VB Script | |||
| simple regular expression | PowerShell | |||
