parameterized queries vs. regular expressions

Networking/Security Forums -> Databases

Author: disarli PostPosted: Thu May 20, 2010 1:29 am    Post subject: parameterized queries vs. regular expressions
During the blizzard of SQL injection attacks in mid-2008, I was helping some friends clean up their classic ASP site. I read up on SQL injection attacks and how to defend ASP. The standard answer was to use parameterized queries. At the time, I ran across a web page that listed more than 100 string expressions that were designed to bypass regular expression filters. It was rather jaw-dropping to see the cleverness of a determined SQL injection attack. It was clear that the regular expressions that could actual catch the ridiculous variety of potential strings (Unicode encodings, HTML encodings, octal encodings, and so much more) would be too complicated to maintain by humans.

Fast forward to last week, and I attended an OWASP web security talk where they recommended regular expression filters for user input validation. Parameterized queries were mentioned, but not emphasized. So I went looking for that previous collection of attack strings and now I can't find it. It is very discouraging to see regular expressions recommended for validating user input on many web pages.

Am I just imagining that regular expressions are fundamentally insecure for user input validation/filtering? Does anyone know where to find this long list of attack strings that blow by (most) regular expressions? I know I would never launch any code that didn't use parameterized queries, but it is hard to convince others how weak they are without some good examples.

Best regards,


Author: CoreDefendLocation: USA PostPosted: Tue May 25, 2010 4:37 pm    Post subject:
Parameterized Queries should still be the first choice. The general statement: "sanitize all user-suppplied input" is hard to implement for every situation.

Regular expressions should included be whenever you accept input. This will help enforce that the data submitted is what you intended. However, it can still be bypassed.

Check these links to see if they are what you're looking for:

Because Regular Expressions are mostly reactive and many SQLi attacks are automated, we are facing an up-hill battle. Using an application-level IDS/IPS or Firewall is an excellent way to catch things that are not resolved by your parameterized queries. GreenSQL is a good (free) start:

As an example, show others the information regarding the recent TJ-MAXX attacks.


Networking/Security Forums -> Databases

output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group