How to create a function that validates if there is a Mysql function in a given string?

Question

How to create a function that validates if there is a Mysql function in a given string?

Asked 8 years, 3 months ago

Viewed 118 times

3

I am looking for a function that identifies (return true) if there is a Mysql function in a string. These would be some examples of possibility of input to function.

<?php

$randomstrings = [
    "foo", //String comum
    "NOW()", //Função sem parâmetros
    "CONCAT_WS('foo','doo','boo')", //fun. com parâmetros
    "ST_AsText(ST_GeomFromGeoJSON('{\"type\":\"Point\",\"coordinates\":[-48.23456,20.12345]}'))", //Funções dentro de funções
    "ST_AsText(ST_GeomFromGeoJSON(@json))", //Variávies dentro da função
    "patrimony", //Não identificar paTRIMony como a function TRIM()
]

 foreach ($randomstrings as $value) {
 $functionList = array('LOAD_FILE', 'sql_to_decimal', '@userid', 'COALESCE', 'getVersaoEO', 'getPessoaById', 'CONVERT', 'IS NULL', 'IS NOT NULL',
            'ST_GeomFromText', 'ST_AsGeoJSON', 'ST_GeomFromGeoJSON', 'ST_AsText', 'CONCAT_WS', 'CONCAT', /*'TRIM',*/ 'json_extract', 'JSON_OBJECT', 'CURRENT_TIMESTAMP');
        foreach ($functionList as $function) {

            $find = strpos(strtolower($value), strtolower($function));
            if (!($find === false)) {
                return true;
            }
        }
 }

I believe this can be done with regular expressions or some other comparison function.

Just as a note, this function should not be used to bar some type of SQL-Injection. Its purpose is only to identify within a string whether there is an occurrence of a specific character in function format or Mysql variable.

– LeonanCarvalho

2017/07/12 at 20:25

1 answer

Browser other questions tagged php regex preg-match

You are not signed in. Login or sign up in order to post.

by rray • **66,288** points · Answer 1 · 2017-07-12T15:40:08+00:00

If you just want to know if one or more functions exist in the string, you can mount a regex looking for the exact term with âconra \b. By placing a term between \b means you’re looking for a full word and not a snippet, so don’t capture patrimony even having the term TRIM in the middle/inside.

$randomstrings = [
        "foo", //Non-function strings
        "NOW()", //Without parameters
        "CONCAT_WS('foo','doo','boo')", //With parameters
        "ST_AsText(ST_GeomFromGeoJSON('{\"type\":\"Point\",\"coordinates\":[-48.23456,20.12345]}'))", //Maybe functions inside functions
        "ST_AsText(ST_GeomFromGeoJSON(@json))", //Variables as parameters
        "patrimony", //Do not identify paTRIMony as  a function TRIM()
];

$functionList = array('LOAD_FILE', 'sql_to_decimal', '@userid', 'COALESCE', 'getVersaoEO', 'getPessoaById', 'CONVERT', 'IS NULL', 'IS NOT NULL','ST_GeomFromText', 'ST_AsGeoJSON', 'ST_GeomFromGeoJSON', 'ST_AsText', 'CONCAT_WS', 'CONCAT', /*'TRIM',*/ 'json_extract', 'JSON_OBJECT', 'CURRENT_TIMESTAMP');

foreach ($randomstrings as $value) {
    foreach($functionList as $function){
        if(preg_match("#\b$function\b#i", $value)){
            echo 'procurou por: '. $function  .' acho em: '. $value .'<br>';
        }
    }
}

Returns:

procurou por: CONCAT_WS acho em: CONCAT_WS('foo','doo','boo')
procurou por: ST_GeomFromGeoJSON acho em: ST_AsText(ST_GeomFromGeoJSON('{"type":"Point","coordinates":[-48.23456,20.12345]}'))
procurou por: ST_AsText acho em: ST_AsText(ST_GeomFromGeoJSON('{"type":"Point","coordinates":[-48.23456,20.12345]}'))
procurou por: ST_GeomFromGeoJSON acho em: ST_AsText(ST_GeomFromGeoJSON(@json))
procurou por: ST_AsText acho em: ST_AsText(ST_GeomFromGeoJSON(@json))

Related:

What’s the use of a Boundary ( b) in a regular expression?