Title |
Test
Find
Pattern Title
|
Expression |
(script)|(<)|(>)|(%3c)|(%3e)|(SELECT) |(UPDATE) |(INSERT) |(DELETE)|(GRANT) |(REVOKE)|(UNION)|(&lt;)|(&gt;) |
Description |
This Blacklist RegEx is designed to search a user input for any malicious code or SQL injection attempts. |
Matches |
http://www.domain.com/page.asp?param=</script> | https://www.domain.com/page.asp?param=;SELECT |
Non-Matches |
https://www.domain.com/page.asp?param=RealParam |
Author |
Rating:
Shahar Bracha
|
Source |
|
Your Rating |
|
Title: fghfghfgh
Name: dfgfgdfg
Date: 12/22/2016 1:25:11 PM
Comment:
fghdsfgsdfsdfsdf
Title: Getting Errors need help
Name: Anand
Date: 8/4/2014 11:30:39 AM
Comment:
Hello Everyone
this is the expression i am using [RegularExpression(@"^((?!(script)|(<)|(>)|(%3c)|(%3e)|(SELECT)|(UPDATE)|(INSERT)|(DELETE)|(GRANT)|(REVOKE)|(<)|(>)).*)$", ErrorMessage = "Error")]
If I enter SELECT, UPDATE and >,< ..etc. This is validated well.But I want to make it case insensitive. I tried by adding /i at the end, But didnt work out for me.Any help would be appreicated
Title: The word description should not match
Name: Carl
Date: 5/25/2007 5:09:12 PM
Comment:
The word description is a match since it contains "script". Ouch
Title: may return rows not matching search text
Name: Aamir
Date: 5/3/2007 12:36:33 PM
Comment:
This regexp is or may be good to prevent the data from being modified or deleted, but there is no provision to prevent all the rows from being returned if they match the following text.
' OR 1=1 --
However, the above exploit will not work if search column values are supplied as paramaters to stored procs and not as concatenated strings.
Title: What about...
Name: Phil
Date: 3/19/2007 1:53:35 PM
Comment:
What about TRUNCATE?
Title: Ok found the problem
Name: Chris
Date: 9/9/2005 11:29:38 AM
Comment:
You must be sure to remove the spaces after
(SELECT) |
Should be:
(SELECT)|
Title: Not working
Name: Chris
Date: 9/9/2005 11:25:27 AM
Comment:
If I run the Test with:
https://www.domain.com/page.asp?param=;SELECT
It returns NO matches.
Title: Case sensitive ???
Name: Daniel
Date: 9/8/2005 1:24:10 PM
Comment:
What about
http://www.domain.com/page.asp?param=</script>|||https://www.domain.com/page.asp?param=;select
SQl is not case sensitive
Just add "/i" at the end :
correct exp: (script)|(<)|(>)|(%3c)|(%3e)|(SELECT) |(UPDATE) |(INSERT) |(DELETE) |(GRANT) |(REVOKE)|
(<) |(>)/i
Title: Typo fixed...
Name: Shahar
Date: 2/8/2005 8:18:44 AM
Comment:
Thanks !
Title: typo correction
Name: Corey
Date: 2/7/2005 12:05:33 PM
Comment:
there is a typo in the above script... (GRENT) should be (GRANT)
correct exp: (script)|(<)|(>)|(%3c)|(%3e)|(SELECT) |(UPDATE) |(INSERT) |(DELETE) |(GRANT) |(REVOKE)|(<) |(>)