Oracle regexp_replace to prevent semicolons

Question

Oracle regexp_replace to prevent semicolons

328 views Asked by Stick-With-SQL At 08 September 2017 at 17:43

Is the following code sufficient to prevent any semicolon from ever remaining in v_str?

regexp_replace(v_str, ';')

Or is there a way someone can circumvent it?

For example the following snippet is not sufficient to block 'DROP' from being passed:

regexp_replace(v_str, 'DROP')

Someone can bypass this by passing in 'DRDROPOP'.

Seemingly, however, the semicolon prevention above is sufficient. Can you think of a way to break it?

Original Q&A

There are 2 answers

**Kevin Seymour** · Answer 1 · 2017-09-08 18:01:51

Yes, that will give you the desired result. However, I think regular ole REPLACE is probably more efficient than using the regex_* functions.

WITH t AS
 (SELECT ';1234;abcd;;5678;;;efgh;;' x
    FROM dual)
SELECT x,
       REPLACE(x,
               ';'),
       regexp_replace(x,
                      ';')
  FROM t;

As others have stated this is NOT a good solution for preventing SQL injection, but I understand your need for a stepping stone.

**Dessma** · Answer 2 · 2017-09-08 18:06:36

Dessma On 08 September 2017 at 18:06

For a quick temporary fix it can work, but it won't stop crafty users from pushing characters in your queries.

For instance :

'DROP DATABASE' || chr(59)
'DROP DATABASE' || chr(58+1)
...

TechQA.

Oracle regexp_replace to prevent semicolons

There are 2 answers

Related Questions in ORACLE

Related Questions in SQL-INJECTION

Related Questions in REGEXP-REPLACE

Popular Questions

Popular Tags

Trending Questions