Prevent SQL injection from form-generated SQL - NO PreparedStmts
Posted
by Markos Fragkakis
on Stack Overflow
See other posts from Stack Overflow
or by Markos Fragkakis
Published on 2010-05-17T20:29:33Z
Indexed on
2010/05/17
21:20 UTC
Read the original article
Hit count: 528
Hi all,
I have a search table where user will be able to filter results with a filter of the type:
- Field [Name], Value [John], Remove Rule
- Field [Surname], Value [Blake], Remove Rule
- Field [Has Children], Value [Yes], Remove Rule
- Add Rule
So the user will be able to set an arbitrary set of filters, which will result essentially in a completely dynamic WHERE clause. In the future I will also have to implement more complicated logical expressions, like
Where (name=John OR name=Nick) AND (surname=Blake OR surname=Bourne),
Of all 10 fields the user may or may not filter by, I don't know how many and which filters the user will set. So, I cannot use a prepared statement (which assumes that at least we know the fields in the WHERE clause). This is why prepared statements are unfortunately out of the question, I have to do it with plain old, generated SQL.
What measures can I take to protect the application from SQL Injection (REGEX-wise or any other way)?
© Stack Overflow or respective owner