• Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

parameterized queries vs. regular expressions

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Databases

View previous topic :: View next topic  
Author Message
Just Arrived
Just Arrived

Joined: 19 May 2010
Posts: 0


PostPosted: Thu May 20, 2010 1:29 am    Post subject: parameterized queries vs. regular expressions Reply with quote

During the blizzard of SQL injection attacks in mid-2008, I was helping some friends clean up their classic ASP site. I read up on SQL injection attacks and how to defend ASP. The standard answer was to use parameterized queries. At the time, I ran across a web page that listed more than 100 string expressions that were designed to bypass regular expression filters. It was rather jaw-dropping to see the cleverness of a determined SQL injection attack. It was clear that the regular expressions that could actual catch the ridiculous variety of potential strings (Unicode encodings, HTML encodings, octal encodings, and so much more) would be too complicated to maintain by humans.

Fast forward to last week, and I attended an OWASP web security talk where they recommended regular expression filters for user input validation. Parameterized queries were mentioned, but not emphasized. So I went looking for that previous collection of attack strings and now I can't find it. It is very discouraging to see regular expressions recommended for validating user input on many web pages.

Am I just imagining that regular expressions are fundamentally insecure for user input validation/filtering? Does anyone know where to find this long list of attack strings that blow by (most) regular expressions? I know I would never launch any code that didn't use parameterized queries, but it is hard to convince others how weak they are without some good examples.

Best regards,

Back to top
View user's profile Send private message
Forum Fanatic
Forum Fanatic

Joined: 25 May 2010
Posts: 16777215
Location: USA


PostPosted: Tue May 25, 2010 4:37 pm    Post subject: Reply with quote

Parameterized Queries should still be the first choice. The general statement: "sanitize all user-suppplied input" is hard to implement for every situation.

Regular expressions should included be whenever you accept input. This will help enforce that the data submitted is what you intended. However, it can still be bypassed.

Check these links to see if they are what you're looking for:


Because Regular Expressions are mostly reactive and many SQLi attacks are automated, we are facing an up-hill battle. Using an application-level IDS/IPS or Firewall is an excellent way to catch things that are not resolved by your parameterized queries. GreenSQL is a good (free) start:


As an example, show others the information regarding the recent TJ-MAXX attacks.

Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Databases All times are GMT + 2 Hours
Page 1 of 1

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register