2

From time to time I come across this problem and I finally want a solution for this once and for all.

It's best to come up with an example that could be used practically. Imagine you have an application with a lot of INSERT-INTO-statements using mysql and php and you want to find statements that do not have a mysql_real_escape_string() because they would be vulnerable for sql injection. To keep it simple, let's assume that each query ends with a semicolon.

So how do you match strings that start with "INSERT INTO" and end with ";" and don't contain "mysql_real_escape_string"?

My assumption is that the quantifiers you have to use (+ and *) and the fact that a regex always is trying to match will lead to the behaviour that the regex eats just as much characters that a lookahead or lookbehind for the not contained string does not find it, even it is there. That's the core problem, I think.

Improve this question
3
  • I know this is not an answer, but the mysql_XXX API is basically broken. Better use mysqli_XXX or PDO; these allow for prepared statements, which is the actual answer to SQL injection. 'mysql_' is easy to grep for, BTW. Commented Jun 23, 2011 at 6:02
  • Not only insert queries can be vulnerable, just wanted to note. Commented Jun 23, 2011 at 6:10
  • It was just an example. I am not interested in escaping and don't even use mysql. Maybe I should change it to something totally random. Commented Jun 23, 2011 at 6:13

1 Answer 1

Reset to default
4

Use negative lookahead:

^INSERT INTO(?!mysql_real_escape_string)(.(?!mysql_real_escape_string))*;$
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Tried it with "INSERT INTO sdfsdffsfd mysql_real_escape_string sdfsdf;" which didn't work. As expected, ".*" eats up almost everything and after that "mysql_real_escape_string" can't be found. This happens even with an ungreedy quantifier. Because the regex tries to match.
That's great! Now I remember, I even used something like that a long time ago. It's quite an important pattern. Every single character is read and then it is checked if the string does not appear after it. Thanks!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.