Prevent SQL injection from form-generated SQL - NO PreparedStmts

Posted by Markos Fragkakis on Stack Overflow See other posts from Stack Overflow or by Markos Fragkakis
Published on 2010-05-17T20:29:33Z Indexed on 2010/05/17 21:20 UTC
Read the original article Hit count: 528

Filed under:
|
|
|
|

Hi all,

I have a search table where user will be able to filter results with a filter of the type:

  • Field [Name], Value [John], Remove Rule
  • Field [Surname], Value [Blake], Remove Rule
  • Field [Has Children], Value [Yes], Remove Rule
  • Add Rule

So the user will be able to set an arbitrary set of filters, which will result essentially in a completely dynamic WHERE clause. In the future I will also have to implement more complicated logical expressions, like

Where (name=John OR name=Nick) AND (surname=Blake OR surname=Bourne),

Of all 10 fields the user may or may not filter by, I don't know how many and which filters the user will set. So, I cannot use a prepared statement (which assumes that at least we know the fields in the WHERE clause). This is why prepared statements are unfortunately out of the question, I have to do it with plain old, generated SQL.

What measures can I take to protect the application from SQL Injection (REGEX-wise or any other way)?

© Stack Overflow or respective owner

Related posts about sql-injection

Related posts about java