Build Status Coverage Status license
SQL / SQLI tokenizer parser analyzer. For
- C and C++
- PHP
- Python
- Lua
- Java (external port)
- [LuaJIT/FFI] (https://github.com/p0pr0ck5/lua-ffi-libinjection) (external port)
See https://www.client9.com/ for details and presentations.
Simple example:
#include <stdio.h> #include <strings.h> #include <errno.h> #include "libinjection.h" #include "libinjection_sqli.h" int main(int argc, const char* argv[]) { struct libinjection_sqli_state state; int issqli; const char* input = argv[1]; size_t slen = strlen(input); /* in real-world, you would url-decode the input, etc */ libinjection_sqli_init(&state, input, slen, FLAG_NONE); issqli = libinjection_is_sqli(&state); if (issqli) { fprintf(stderr, "sqli detected with fingerprint of '%s'\n", state.fingerprint); } return issqli; }
$ gcc -Wall -Wextra examples.c libinjection_sqli.c
$ ./a.out "-1' and 1=1 union/* foo */select load_file('/etc/passwd')--"
sqli detected with fingerprint of 's&1UE'
More advanced samples:
See CHANGELOG for details.
Versions are listed as "major.minor.point"
Major are significant changes to the API and/or fingerprint format. Applications will need recompiling and/or refactoring.
Minor are C code changes. These may include
- logical change to detect or suppress
- optimization changes
- code refactoring
Point releases are purely data changes. These may be safely applied.
The continuous integration results at https://travis-ci.org/client9/libinjection tests the following:
- build and unit-tests under GCC
- build and unit-tests under Clang
- static analysis using clang static analyzer
- static analysis using cppcheck
- checks for memory errors using valgrind
- code coverage online using coveralls.io
Copyright (c) 2012-2016 Nick Galbreath
Licensed under the standard BSD 3-Clause open source license. See COPYING for details.
The src directory contains everything, but you only need to copy the following into your source tree: