Confusion regarding regex pattern

Question

I have tried to write a regex to catch certains words in a sentence but it is not working. The below regex is only working when I give a exact match.

[\s]*((delete)|(exec)|(drop\s*table)|(insert)|(shutdown)|(update)|(\bor\b))

Lets say I send a HTTP Header - headerName = insert it works,

but does not work when I give headerName = awesome insert number

--edit--

@user1180, Yes I can use prepared statements, but we are also looking into the regex part.

@Marcel and Wiktor, yes it is working in that website. I guess my tool is not recognizing the regex. I am using Mulesoft ESB, which uses Matches when the evaluated value fits a given regular expression (regex), specifically a regex "flavor" supported by Java.

It is using something like this, matches /\+(\d+)\s\((\d+)\)\s(\d+\-\d+)/ and I am not aware of how to write my usecase in this regex format.

My usecase is too catch SQL injection pattern, which would check the request header/queryparam for delete (exec)(drop\s*table)(insert)(shutdown)(update)or parameters.

Answer 1

Since your regex must match the whole input you need to wrap the pattern with .*, something similar to (?s).*(<YOUR PATTERN>).*.

Use

(?s).*\b(delete|exec|drop\s+table|insert|shutdown|update|or)\b.*

Details

• (?s) - turns on DOTALL mode where . matches any char
• .* - any 0+ chars, as many as possible
• \b(delete|exec|drop\s+table|insert|shutdown|update|or)\b - any one of the whole words (note \b is a word boundary construct) in the group
• .* - any 0+ chars, as many as possible

I also replaced drop\s*table with drop\s+table since I guess droptable is not expected.