Regular Expression help C#

  • Thread starter Thread starter JP
  • Start date Start date
J

JP

Guys, maybe you can help.

I have a method that basically parses any string sent to it to ensure
patterns that could be interpreted as a possible SQL injection do not exists
before send the data to the database. One of the requirements is that it must
look for any of the common words for SQL - UPDATE, INSERT, DELETE, etc and
remove them. Now I need it to keep the words in the string, but check to make
sure there are no spaces after the potential command

SELECT [unknown number of spaces after the 'SELECT' need to be removed while
maintaining any other words that follow

ie: SELECT [unknown spaces] the number of cards would now become
SELECT|the number of cards

I need a RegEx pattern in C# 1.1 that can look for key words containing AT
LEAST ONE space after they key word and only the keyword and any following
spaces with the pipe character.

I have my pattern started, but I cannot seem to figure how to only apply
this particular case above. Maybe Im just having a brain drain I dont know,
but I cant get it to work. Some how I need a veriable in the expression

Regex expression = new Regex(@"^\s*(.*?)\s*$", "$1");
 
JP said:
Guys, maybe you can help.

I have a method that basically parses any string sent to it to ensure
patterns that could be interpreted as a possible SQL injection do not exists
before send the data to the database. One of the requirements is that it must
look for any of the common words for SQL - UPDATE, INSERT, DELETE, etc and
remove them. Now I need it to keep the words in the string, but check to make
sure there are no spaces after the potential command

SELECT [unknown number of spaces after the 'SELECT' need to be removed while
maintaining any other words that follow

ie: SELECT [unknown spaces] the number of cards would now become
SELECT|the number of cards

I need a RegEx pattern in C# 1.1 that can look for key words containing AT
LEAST ONE space after they key word and only the keyword and any following
spaces with the pipe character.

I have my pattern started, but I cannot seem to figure how to only apply
this particular case above. Maybe Im just having a brain drain I dont know,
but I cant get it to work. Some how I need a veriable in the expression

Regex expression = new Regex(@"^\s*(.*?)\s*$", "$1");
Click to expand...

Are you looking for something like this:

String sOutput = Regex.Replace(sInput,
"^\\s*(SELECT|INPUT|UPDATE)\\s+", "");

But I don't know exactly what you want to do. You cannot be sure to find
all harmful commands. For example "/*Hello*/DROP/*You*/TABLE Bla". If
you apply your data through "?"-Parameters or correctly quoted, nothing
bad can happen.

Markus
 
Guys, maybe you can help.

I have a method that basically parses any string sent to it to ensure
patterns that could be interpreted as a possible SQL injection do not exists
before send the data to the database. One of the requirements is that it must
look for any of the common words for SQL - UPDATE, INSERT, DELETE, etc and
remove them. Now I need it to keep the words in the string, but check to make
sure there are no spaces after the potential command

SELECT [unknown number of spaces after the 'SELECT' need to be removed while
maintaining any other words that follow

ie: SELECT [unknown spaces] the number of cards would now become
SELECT|the number of cards

I need a RegEx pattern in C# 1.1 that can look for key words containing AT
LEAST ONE space after they key word and only the keyword and any following
spaces with the pipe character.

I have my pattern started, but I cannot seem to figure how to only apply
this particular case above. Maybe Im just having a brain drain I dont know,
but I cant get it to work. Some how I need a veriable in the expression

Regex expression = new Regex(@"^\s*(.*?)\s*$", "$1");
Click to expand...

This seems like a really bad idea to me.

Not only can't you think of all possible bad keywords, what if the
keywords legitimately appear in data?
 
Hello JP,
Guys, maybe you can help.

I have a method that basically parses any string sent to it to ensure
patterns that could be interpreted as a possible SQL injection do not
exists before send the data to the database. One of the requirements
is that it must look for any of the common words for SQL - UPDATE,
INSERT, DELETE, etc and remove them. Now I need it to keep the words
in the string, but check to make sure there are no spaces after the
potential command

SELECT [unknown number of spaces after the 'SELECT' need to be removed
while maintaining any other words that follow

ie: SELECT [unknown spaces] the number of cards would now become
SELECT|the number of cards

I need a RegEx pattern in C# 1.1 that can look for key words
containing AT LEAST ONE space after they key word and only the keyword
and any following spaces with the pipe character.

I have my pattern started, but I cannot seem to figure how to only
apply this particular case above. Maybe Im just having a brain drain I
dont know, but I cant get it to work. Some how I need a veriable in
the expression

Regex expression = new Regex(@"^\s*(.*?)\s*$", "$1");
Click to expand...

How are you building/executing these statements? If you use parameters the
right way, you should never have to worry about SQL injection. And it's faster
too.

The problem with using a regex here is that many valid pieces of text will
contain words like update, delete, drop, insert, select, create, (trying
to think of more from the top of my head)... the problem is, that there are
more keywords that you could ever take into account, especially if you take
database independency into account.

The second is that I don't udnerstand why you'd want to remove spaces....

And trying to figure out what your expression does is also a bit of a struggle...
it looks for any number of spaces, followed by anything other than a whitespace
charecter, followed by any number of spaces... replacing it with just the
stuff inbetween... that would simply remove all spaces from a file... A simple
expression to remove all spaces except one is: "(\s)\1*" -> "$1", or even
better: "\s+" -> " ". It would look for the whitespaces, not the words around
them.
 
Back
Top