Skip to content
Search Create account

DEV Community

DEV Community is a community of 891,295 amazing developers

We're a place where coders share, stay up-to-date and grow their careers.

Create account Log in
Twitter Facebook Github Instagram Twitch
Cover image for [WIP] kill SQL injection
darker
darker

Posted on • Updated on

[WIP] kill SQL injection

#security #sql #injection

A short and quick way to kill SQL injection in your project with python and some regex...

#/bin/python3
# by d4rk3r

from re import search, sub


def kill_injected_sql(input_string: str) -> str:
    """
    A hard killer for sql injection from an incoming string.

    params:
    input_string : str [the incoming not sure string]
    """

    # keys from an actual sql synthax
    k_synthax = [
        "CREATE ", "DROP ", "UPDATE ",
        "INSERT ", "ALTER ", "DELETE ",
        "ATTACH ", "DETACH ", "BEGIN ",
        "CALL ", "COMMENT ", "COMMIT ",
        "COPY ", "DESCRIBE ", "EXPLAIN ",
        "GET ", "GRANT ", "LIST ", "MERGE ",
        "PUT ", "REMOVE ", "REVOKE ", "ROLLBACK ",
        "SET ", "SHOW ", "TRUNCATE ", "UNDROP ",
        "UNSET ", "UPDATE ", "USE ", "WITH ",
        "SELECT ", "ORDER BY ", "MERGE ", "EXEC ",
        "UNION "
    ]
    # to manage with lowercase string too
    k_synthax += list(map(lambda x: x.lower(), k_synthax))
    # The regex to detect that
    regex = f"^({'|'.join(k_synthax)}|EXEC(UTE){0,1}|INSERT( +INTO){0,1}|{'|'.join(k_synthax)}|UNION( +ALL){0,1})|(?=.*(?:{'|'.join(k_synthax)})).*$"
    if search(regex, input_string):
        # the patch
        return sub("[^0-9a-zA-Z]+", "_", input_string)

    return input_string

# Some examples
print(kill_injected_sql("SELECT * FROM TESTS"))
print(kill_injected_sql("create TABLE niangua (test integer);"))
print(kill_injected_sql("DROP DATABASE IMPORTANT;"))
print(kill_injected_sql("normal string"))
# expected outputs
#
# SELECT_FROM_TESTS
# create_TABLE_niangua_test_integer_
# DROP_DATABASE_IMPORTANT_
# normal string
Enter fullscreen mode Exit fullscreen mode

Source Code : https://gist.github.com/Sanix-Darker/19d85eace69e6f312cc2009a6fdd3beb
My Github : github.com/sanix-darker

Have FUN !

Discussion (2)

Collapse
darkain profile image
Vincent Milum Jr

Using deny-lists instead of allow-lists is not secure at all. This doesn't cover all SQL commands. On top of that, new syntax can easily bypass these checks. It is better to focus on properly handling data input in a secure way instead. Also, using your method would disrupt processing of normal human text. There are other issues here, too, as it looks like you're replacing non-alphanumerics with underscore, which would absolutely break non-english characters.

Collapse
sanixdarker profile image
darker Author

I assume this is an overkilled function i made and it will not resolve all cases, and that's why am still improving it !

Read next

kkaosninja profile image

HackTheBox Pandora Walkthrough

kkaosninja -

franckpachot profile image

PostgreSQL: An example of using WITH clauses to decompose the problem

Franck Pachot -

zainshahbaz786 profile image

SQL Interview Questions CheatSheet

Zain Shahbaz -

arpadt profile image

Removing sensitive information from HTTP headers in Lambda functions

Arpad Toth -