I开发者_如何转开发 have a MYSQL class, which I'd like to make safe against SQL injection, so I thought of a checking algorithm. For example:
query("SELECT * FROM xyz WHERE id = @1 AND name = '@2' AND pwd = '@3' AND somenumber = @4", param1, param2, param3, param4)
This regex expression must match @1 and @4, so the first, and 4th argument should be integer.
I tried this:
[^'"]@\d+[^'"]
But it doesnt match:
@1,@4,@5
What could be the right expression?
Thank you in advance.
If you want @123 but not "@123", use
(?<!["'])@\d+(?!['"])
What your regex does:
[^'"]
matches one « anything but the string '" »@\d+
matches one at sign and as much numbers as possible[^'"]
matches another « anything but the string '" »
Therefore it would match d@12), @@0@, k@09. ...
精彩评论