Re: [mod-security-users] normalizeSql transformation

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Marc,

you suggestion is a first step.
IMHO it at least misses comments.
Second -having comments in mind- you need to write a sophisticated
parser for SQL. Example:

	SELECT * FROM tab WHERE col='a/* comment' 
		+  /* real comment \*/ ' continues here' +
		/* but don't
		   get fooled */
		' */' and col LIKE ' */' -- another comment */ it this

such a parser must know about the real SQL syntax (think TSQL, PSQL).

It also misses backtick, which are allowed in SQL syntax.

Hope this helps to get the idea running ...
Achim

Am 21.10.2011 13:55, schrieb Marc Stern:
> Hello,
> 
> While working with Breno on the implementation of the sqlHexDecode 
> transformation function, I managed to take the time to design a 
> normalization function for SQL. Here is what it would do:
> 
>  1. Transform 0x...
>  2. Merge all redundant spaces (including tabs, CR, LF) to one space
>  3. Merge all redundant quotes (single, double & back) to one single quote
>  4. Remove all backslashes
>  5. Remove space around operators (plus, minus, etc.)
>  6. Remove space before & after a quote (not sure about this one)
> 
> What do you think about that?
> Anything missing?
> What about removing space before/after a quote?
> 
> Regards
> 
> Marc Stern