Is there any Regular Expression to check if a string is valid SQL? It must be PHP compatible. My code.
if(!preg_match("regular expression", $_POST['sql_input']){
echo "Please enter valid SQL.";
exit;
}
Asked
Active
Viewed 3,525 times
-4
C'mon
- 51
- 1
- 10
-
There are many dialects of SQL, any particular one you have in mind? – Joachim Isaksson Feb 04 '14 at 16:19
-
What are you doing to be doing with these posted SQL queries? `DELETE FROM users;` and `DROP DATABASE database` are valid queries ;) – gen_Eric Feb 04 '14 at 16:19
-
Maybe this could help: https://code.google.com/p/php-sql-parser/ – gen_Eric Feb 04 '14 at 16:20
-
you already asked it yesterday! – Langusten Gustel Feb 04 '14 at 16:22
-
Why would you need to do this in the first place? – Eisa Adil Feb 04 '14 at 16:28
-
Maybe this guy just likes the downvotes ... -9 on the other one, -3 on this one, -18 on another one exactly the same. Sheesh. – webnoob Feb 04 '14 at 16:59
-
Some are "suckers for punishment" – @webnoob – Funk Forty Niner Feb 04 '14 at 16:59
3 Answers
0
You could try this library: http://code.google.com/p/php-sql-parser/. I've not used it yet so I can't guarantee it but the code looks like it will be able to tell the difference between valid and invalid SQL.
Another option could be to use transactions if your SQL variant allows it. A transaction would allow you to execute the SQL and then cancel it afterwards reversing any damage that was done. I think I would prefer option 1 though.
I am quoting Godwin. Source
Community
- 1
- 1
Langusten Gustel
- 10,917
- 9
- 46
- 59
-
Re: transactions, most (all?) databases won't allow you to roll back for example `DROP DATABASE`. – Joachim Isaksson Feb 04 '14 at 16:23
0
Simple answer. What you are trying to do is not possible.
You need an SQL Parser to check if statements are valid.
remedy.
- 2,032
- 3
- 25
- 48
-
Actually, it is possible (with the right sequence of `0`'s and `1`'s anything is possible nowadays ;-). I made a script using an array of keywords, and if one was found, then it would do whatever I told it to do. It could easily be modified to suit the OP's wish. Btw, I did NOT downvote this. It's not my style. ;-) – Funk Forty Niner Feb 04 '14 at 16:22
-
If you want to say that something is not possible, you have to demonstrate it. The other answer(s) disagree with you. (I'm the downvoter) – STT LCU Feb 04 '14 at 16:23
-
@STTLCU Well, to be fair I don't see a disagreeing answer that actually shows a regex or any pointer to how to construct an actual regex for doing it either... :) – Joachim Isaksson Feb 04 '14 at 16:24
-
1
-
-
Okay. well maybe I used the word "not possible" incorrectly. What I really meant was that regex isn't what he should be using to check if statements are valid. SQL parser is the answer! – remedy. Feb 04 '14 at 16:40
-
I agree with your last comment. "there is a way, but you shouldn't do it like that but using a SQL parser" is a good answer for me. – STT LCU Feb 05 '14 at 07:33
0
No, it is impossible. But if you want to protect yourself against SQL injection attacks, there are other mechanisms you should use.
See for example: https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php
sigy
- 2,408
- 1
- 24
- 55