From time to time I come across this problem and I finally want a solution for this once and for all.

It’s best to come up with an example that could be used practically. Imagine you have an application with a lot of INSERT-INTO-statements using mysql and php and you want to find statements that do not have a mysql_real_escape_string() because they would be vulnerable for sql injection. To keep it simple, let’s assume that each query ends with a semicolon.

So how do you match strings that start with “INSERT INTO” and end with “;” and don’t contain “mysql_real_escape_string”?

My assumption is that the quantifiers you have to use (+ and *) and the fact that a regex always is trying to match will lead to the behaviour that the regex eats just as much characters that a lookahead or lookbehind for the not contained string does not find it, even it is there. That’s the core problem, I think.