Posted: Thu May 20, 2010 1:29 am Post subject: parameterized queries vs. regular expressions
During the blizzard of SQL injection attacks in mid-2008, I was helping some friends clean up their classic ASP site. I read up on SQL injection attacks and how to defend ASP. The standard answer was to use parameterized queries. At the time, I ran across a web page that listed more than 100 string expressions that were designed to bypass regular expression filters. It was rather jaw-dropping to see the cleverness of a determined SQL injection attack. It was clear that the regular expressions that could actual catch the ridiculous variety of potential strings (Unicode encodings, HTML encodings, octal encodings, and so much more) would be too complicated to maintain by humans.
Fast forward to last week, and I attended an OWASP web security talk where they recommended regular expression filters for user input validation. Parameterized queries were mentioned, but not emphasized. So I went looking for that previous collection of attack strings and now I can't find it. It is very discouraging to see regular expressions recommended for validating user input on many web pages.
Am I just imagining that regular expressions are fundamentally insecure for user input validation/filtering? Does anyone know where to find this long list of attack strings that blow by (most) regular expressions? I know I would never launch any code that didn't use parameterized queries, but it is hard to convince others how weak they are without some good examples.
Because Regular Expressions are mostly reactive and many SQLi attacks are automated, we are facing an up-hill battle. Using an application-level IDS/IPS or Firewall is an excellent way to catch things that are not resolved by your parameterized queries. GreenSQL is a good (free) start:
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum