[WIP] kill SQL injection
![[WIP] kill SQL injection](https://res.cloudinary.com/practicaldev/image/fetch/s--bCBkqI7z--/c_imagga_scale,f_auto,fl_progressive,h_420,q_auto,w_1000/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/u56zlunyl8mspc55hdn7.jpg)
A short and quick way to kill SQL injection in your project with python and some regex...
#/bin/python3
# by d4rk3r
from re import search, sub
def kill_injected_sql(input_string: str) -> str:
"""
A hard killer for sql injection from an incoming string.
params:
input_string : str [the incoming not sure string]
"""
# keys from an actual sql synthax
k_synthax = [
"CREATE ", "DROP ", "UPDATE ",
"INSERT ", "ALTER ", "DELETE ",
"ATTACH ", "DETACH ", "BEGIN ",
"CALL ", "COMMENT ", "COMMIT ",
"COPY ", "DESCRIBE ", "EXPLAIN ",
"GET ", "GRANT ", "LIST ", "MERGE ",
"PUT ", "REMOVE ", "REVOKE ", "ROLLBACK ",
"SET ", "SHOW ", "TRUNCATE ", "UNDROP ",
"UNSET ", "UPDATE ", "USE ", "WITH ",
"SELECT ", "ORDER BY ", "MERGE ", "EXEC ",
"UNION "
]
# to manage with lowercase string too
k_synthax += list(map(lambda x: x.lower(), k_synthax))
# The regex to detect that
regex = f"^({'|'.join(k_synthax)}|EXEC(UTE){0,1}|INSERT( +INTO){0,1}|{'|'.join(k_synthax)}|UNION( +ALL){0,1})|(?=.*(?:{'|'.join(k_synthax)})).*$"
if search(regex, input_string):
# the patch
return sub("[^0-9a-zA-Z]+", "_", input_string)
return input_string
# Some examples
print(kill_injected_sql("SELECT * FROM TESTS"))
print(kill_injected_sql("create TABLE niangua (test integer);"))
print(kill_injected_sql("DROP DATABASE IMPORTANT;"))
print(kill_injected_sql("normal string"))
# expected outputs
#
# SELECT_FROM_TESTS
# create_TABLE_niangua_test_integer_
# DROP_DATABASE_IMPORTANT_
# normal string
Source Code : https://gist.github.com/Sanix-Darker/19d85eace69e6f312cc2009a6fdd3beb
My Github : github.com/sanix-darker
Have FUN !