C# 在 PHP 文件中解析 SQL 的最佳方法?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/20478/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Best Approach to Parse for SQL in PHP Files?
提问by ftdysa
For my senior thesis, I developed a program that would automatically detect and suggest fixes to SQL injection vulnerabilities using prepared statements. Specifically the mysqli extension for PHP. My question for the SO community is this: What would your preferred approach be to detect the SQL in PHP source code?
在我的毕业论文中,我开发了一个程序,可以使用准备好的语句自动检测 SQL 注入漏洞并提出修复建议。特别是 PHP 的 mysqli 扩展。我对 SO 社区的问题是:您首选的方法是检测 PHP 源代码中的 SQL?
I used an enum containg the SQL keywords (SELECT, INSERT, ...)and basically parsed each line, iterating over the enum to determine if any SQL was present. Additionally, I had to make sure that the parser was not erroneously detecting html (for example <\select>).
我使用了一个包含SQL keywords (SELECT, INSERT, ...)并且基本上解析每一行的枚举,遍历枚举以确定是否存在任何 SQL。此外,我必须确保解析器没有错误地检测到 html(例如 <\select>)。
For me this solution worked fine, but now I have a little more time on my hands now and have thought about refactoring the code to use a more elegant (and efficient) solution. Please limit your solutions to using C#as that is what I wrote my program in.
对我来说,这个解决方案工作得很好,但现在我有更多的时间在我的手上,并考虑重构代码以使用更优雅(和有效)的解决方案。请限制您的解决方案使用C#,因为这是我编写程序的内容。
回答by Vincent
Your solution seems fine to me. The other way would be to parse the PHP file with a Lex/Yacc parser using the grammar for PHP, there is one good C# grammar parsing tool called Coco/R http://www.ssw.uni-linz.ac.at/coco/.
你的解决方案对我来说似乎很好。另一种方法是使用 Lex/Yacc 解析器使用 PHP 语法解析 PHP 文件,有一个很好的 C# 语法解析工具,称为 Coco/R http://www.ssw.uni-linz.ac.at/可可/。
However I believe if you do parse the language, you will end up consuming too much time (in development and in computing) for no additional results.
但是我相信,如果你真的解析语言,你最终会消耗太多时间(在开发和计算中)而没有额外的结果。
I would stick with your opportunistic approach, but test it against various PHP code and tweak it to cover all possible cases.
我会坚持你的机会主义方法,但对各种 PHP 代码进行测试并调整它以涵盖所有可能的情况。
回答by Cheekysoft
Maybe theres some milage in parsing text lines against the BNFfor, say, SQL92, and scoring each line on how closely the fragments match the grammar.
也许在针对BNF解析文本行(例如SQL92)并根据片段与语法的匹配程度对每一行进行评分时,可能会有一些进展。
Sounds like some heavy lifting though. Your simple approach will catch such a large percentage of real-world cases already.
听起来像是一些繁重的工作。您的简单方法已经可以捕获如此大比例的真实案例。
回答by Teifion
I do not know the specifics of variables in C# so you will have to forgive or down-vote me for using PHP but 70% of the time my SQL query goes into a variable like so
我不知道 C# 中变量的细节,所以你将不得不原谅或反对我使用 PHP,但 70% 的时间我的 SQL 查询进入这样的变量
$sql = "SELECT * FROM table;";
Beyond that I am unable to think of anything you can do to improve on what you already have.
除此之外,我想不出你可以做些什么来改进你已经拥有的东西。
Do you take into account statements that are created over several lines and use variables within the string? (Example below)
您是否考虑了多行创建的语句并在字符串中使用变量?(下例)
$sql = "SELECT * FROM table WHERE fname = $fname OR snmae = $sname";
回答by ftdysa
I do not know the specifics of variables in C# so you will have to forgive or down-vote me for using PHP but 70% of the time my SQL query goes into a variable like so ..
我不知道 C# 中变量的细节,所以你必须原谅或反对我使用 PHP,但 70% 的时间我的 SQL 查询进入这样的变量..
Yeah, my original approach was to just look for the $sql vars since that is what mostpeople use, but after testing against a few PHP apps I quickly threw that solution out because some developers use some funky variable names ...
是的,我最初的方法是只查找 $sql 变量,因为这是大多数人使用的,但是在对一些 PHP 应用程序进行测试后,我很快就放弃了该解决方案,因为有些开发人员使用了一些时髦的变量名......
Do you take into account statements that are created over several lines and use variables within the string? (Example below)
您是否考虑了多行创建的语句并在字符串中使用变量?(下例)
Yep. I also attempted to handle statements that were generated conditionally, but that didn't always work so well. ;)
是的。我还尝试处理有条件生成的语句,但这并不总是那么有效。;)
回答by Imran
A simple regex to detect all CRUD sql statements used with functions (assuming $script contains the whole php script)
一个简单的正则表达式来检测与函数一起使用的所有 CRUD sql 语句(假设 $script 包含整个 php 脚本)
preg_match_all('/\(\s*?"(?:SELECT|INSERT|UPDATE|DELETE) .*?"\s*?\)\s*?;/is',
$script, $matches);
It should match all possible SELECT, INSERT, UPDATE, DELETE statements, if they're placed within parentheses and double quotes. It's case insensetive and should match statements that span across multiple lines too.
它应该匹配所有可能的 SELECT、INSERT、UPDATE、DELETE 语句,如果它们放在括号和双引号内。它不区分大小写,也应该匹配跨越多行的语句。
edit #1:Regex for matching CRUD statement like string assignments;
编辑 #1:用于匹配 CRUD 语句(如字符串赋值)的正则表达式;
preg_match_all('/$\w+\s*?=\s*?"(?:SELECT|INSERT|UPDATE|DELETE) .*?"\s*?;/is',
$script, $matches);
edit #2:
编辑#2:
// $variable detecting version of #1 regex
preg_match_all('/\(\s*?"(?:SELECT|INSERT|UPDATE|DELETE) .*?(?:$\w+){1}.*?"\s*?\)\s*?;/is',
$script, $matches);
回答by Kibbee
I would say it would be best to look for function calls instead of looking for SQL itself. Possibly modify the PHP parser to look for function calls that result in running an SQL query which is not a prepared query.
我会说最好寻找函数调用而不是寻找 SQL 本身。可能修改 PHP 解析器以查找导致运行 SQL 查询的函数调用,该查询不是准备好的查询。
