No, your regexp wouldn’t help with SQL injection much at all, I am sorry. Let’s look at some SQL injection:

First, suppose you create your SQL commands as strings, such as the following:

snprintf( sqlcommand, dimensionof(sqlcommand), "INSERT INTO users (username, password) VALUES ('%s', '%s')", username, password );


The concern with SQL injection is that the user can create an input value (username or password in this case) which causes the generated SQL command to do something other than intended. For example, if the username were “aardvark’,’f’);DROP/**/TABLE/**/users;–“, then the SQL statement generated would become:

INSERT INTO users (username, password) VALUES ('aardvark','f');DROP/**/TABLE/**/users;--', 'password_value')

So, you missed with your regular expression a few points:

• The usual method of ‘breaking out’ from the SQL string involves unescaped single-quote characters.
• /**/ is a separator but not a space.

And you should not fix that regular expression. As others have answered, this approach of filtering input is perilous. At the very least, you could call the mysql_real_escape_string() recommended by Cletus.

However, jishi and Mark Byers have the best answer: use parameterized SQL queries rather than constructing SQL queries out of string manipulation. This approach is infallible compared to processing the input data to escape needed characters.

Please accept jishi or Mark Byers’ answers as they were earliest and most correct.