Prevent SQL injection from form-generated SQL.
- by Markos Fragkakis
Hi all,
I have a search table where user will be able to filter results with a filter of the type:
Field [Name], Value [John], Remove
Rule
Field [Surname], Value [Blake],
Remove Rule
Field [Has Children], Value [Yes],
Remove Rule
Add Rule
So the user will be able to set an arbitrary set of filters, which will result essentially in a completely dynamic WHERE clause. In the future I will also have to implement more complicated logical expressions, like
Where (name=John OR name=Nick) AND (surname=Blake OR surname=Bourne),
Of all 10 fields the user may or may not filter by, I don't know how many and which filters the user will set. So, I cannot use a prepared statement (which assumes that at least we know the fields in the WHERE clause). This is why prepared statements are unfortunately out of the question, I have to do it with plain old, generated SQL.
What measures can I take to protect the application from SQL Injection (REGEX-wise or any other way)?