Awesome

libinjection

SQL / SQLI tokenizer parser analyzer. For

C and C++
PHP
Python
Lua
Java (external port)
[LuaJIT/FFI] (https://github.com/p0pr0ck5/lua-ffi-libinjection) (external port)

See https://www.client9.com/ for details and presentations.

Simple example:

#include <stdio.h>
#include <strings.h>
#include <errno.h>
#include "libinjection.h"
#include "libinjection_sqli.h"

int main(int argc, const char* argv[])
{
    struct libinjection_sqli_state state;
    int issqli;

    const char* input = argv[1];
    size_t slen = strlen(input);

    /* in real-world, you would url-decode the input, etc */

    libinjection_sqli_init(&state, input, slen, FLAG_NONE);
    issqli = libinjection_is_sqli(&state);
    if (issqli) {
        fprintf(stderr, "sqli detected with fingerprint of '%s'\n", state.fingerprint);
    }
    return issqli;
}

$ gcc -Wall -Wextra examples.c libinjection_sqli.c
$ ./a.out "-1' and 1=1 union/* foo */select load_file('/etc/passwd')--"
sqli detected with fingerprint of 's&1UE'

More advanced samples:

VERSION INFORMATION

See CHANGELOG for details.

Versions are listed as "major.minor.point"

Major are significant changes to the API and/or fingerprint format. Applications will need recompiling and/or refactoring.

Minor are C code changes. These may include

logical change to detect or suppress
optimization changes
code refactoring

Point releases are purely data changes. These may be safely applied.

QUALITY AND DIAGNOSITICS

The continuous integration results at https://travis-ci.org/client9/libinjection tests the following:

build and unit-tests under GCC
build and unit-tests under Clang
static analysis using clang static analyzer
static analysis using cppcheck
checks for memory errors using valgrind
code coverage online using coveralls.io

LICENSE

Licensed under the standard BSD 3-Clause open source license. See COPYING for details.

EMBEDDING

The src directory contains everything, but you only need to copy the following into your source tree: