Documentation

SqlValidator
in package

Validates SQL statements for backup restore operations.

Provides security hardening by:

  • Whitelisting allowed SQL statement types
  • Validating table names against known LWT tables
  • Blocking dangerous SQL patterns
Tags
since
3.0.0

Table of Contents

Constants

ALLOWED_TABLES  = [ // Current table names 'feed_links', 'languages', 'local_dictionaries', 'local_dictionary_entries', 'news_feeds', 'sentences', 'settings', 'tags', 'temp_word_occurrences', 'temp_words', 'text_tags', 'word_occurrences', 'texts', 'text_tag_map', 'words', 'word_tag_map', // Legacy table names (for demo database and old backups) 'archivedtexts', 'archtexttags', 'books', 'feedlinks', 'newsfeeds', 'tags2', 'temptextitems', 'tempwords', 'textitems', 'textitems2', 'texttags', 'wordtags', ]
Tables allowed in backup/restore operations.
DANGEROUS_PATTERNS  = [ // File operations '/\bLOAD_FILE\s*\(/i', '/\bINTO\s+(OUTFILE|DUMPFILE)\b/i', '/\bLOAD\s+DATA\b/i', // System functions '/\bSYSTEM\s*\(/i', '/\bEXEC\s*\(/i', '/\bSHELL\s*\(/i', // User/privilege manipulation '/\bCREATE\s+USER\b/i', '/\bDROP\s+USER\b/i', '/\bGRANT\b/i', '/\bREVOKE\b/i', '/\bALTER\s+USER\b/i', // Database manipulation '/\bCREATE\s+DATABASE\b/i', '/\bDROP\s+DATABASE\b/i', '/\bALTER\s+DATABASE\b/i', // Process control '/\bKILL\b/i', '/\bSHUTDOWN\b/i', // Stored procedures/functions '/\bCREATE\s+(PROCEDURE|FUNCTION|TRIGGER|EVENT)\b/i', '/\bDROP\s+(PROCEDURE|FUNCTION|TRIGGER|EVENT)\b/i', '/\bALTER\s+(PROCEDURE|FUNCTION|TRIGGER|EVENT)\b/i', '/\bCALL\s+/i', // Variables and configuration '/\bSET\s+(GLOBAL|SESSION|@@)/i', // Subqueries that could exfiltrate data '/\bSELECT\b.*\bFROM\b(?!.*\bINSERT\s+INTO\b)/is', // Comments that could hide malicious code '/\/\*[^*]*\*+([^\/*][^*]*\*+)*\//i', // Note: Multi-statement detection (semicolon check) removed because it causes // false positives on semicolons in string literals. Statement type validation // already prevents injection of dangerous statements. // Hex strings that could encode malicious queries '/0x[0-9a-fA-F]{20,}/i', // Sleep/benchmark (DoS attacks) '/\bSLEEP\s*\(/i', '/\bBENCHMARK\s*\(/i', // Information schema access '/\bINFORMATION_SCHEMA\b/i', '/\bMYSQL\./i', '/\bPERFORMANCE_SCHEMA\b/i', ]
Dangerous SQL patterns that should be blocked.

Properties

$errors  : array<string|int, string>
Validation errors collected during validation.

Methods

getAllowedTables()  : array<string|int, string>
Get the list of allowed tables.
getErrors()  : array<string|int, string>
Get validation errors.
getFirstError()  : string|null
Get the first error message.
validate()  : bool
Validate a single SQL statement.
validateAll()  : bool
Validate multiple SQL statements.
isAllowedTable()  : bool
Check if a table name is in the allowed list.
validateCreateTable()  : bool
Validate CREATE TABLE statement.
validateDropTable()  : bool
Validate DROP TABLE statement.
validateInsert()  : bool
Validate INSERT statement.

Constants

ALLOWED_TABLES

Tables allowed in backup/restore operations.

private array<string|int, string> ALLOWED_TABLES = [ // Current table names 'feed_links', 'languages', 'local_dictionaries', 'local_dictionary_entries', 'news_feeds', 'sentences', 'settings', 'tags', 'temp_word_occurrences', 'temp_words', 'text_tags', 'word_occurrences', 'texts', 'text_tag_map', 'words', 'word_tag_map', // Legacy table names (for demo database and old backups) 'archivedtexts', 'archtexttags', 'books', 'feedlinks', 'newsfeeds', 'tags2', 'temptextitems', 'tempwords', 'textitems', 'textitems2', 'texttags', 'wordtags', ]

DANGEROUS_PATTERNS

Dangerous SQL patterns that should be blocked.

private array<string|int, string> DANGEROUS_PATTERNS = [ // File operations '/\bLOAD_FILE\s*\(/i', '/\bINTO\s+(OUTFILE|DUMPFILE)\b/i', '/\bLOAD\s+DATA\b/i', // System functions '/\bSYSTEM\s*\(/i', '/\bEXEC\s*\(/i', '/\bSHELL\s*\(/i', // User/privilege manipulation '/\bCREATE\s+USER\b/i', '/\bDROP\s+USER\b/i', '/\bGRANT\b/i', '/\bREVOKE\b/i', '/\bALTER\s+USER\b/i', // Database manipulation '/\bCREATE\s+DATABASE\b/i', '/\bDROP\s+DATABASE\b/i', '/\bALTER\s+DATABASE\b/i', // Process control '/\bKILL\b/i', '/\bSHUTDOWN\b/i', // Stored procedures/functions '/\bCREATE\s+(PROCEDURE|FUNCTION|TRIGGER|EVENT)\b/i', '/\bDROP\s+(PROCEDURE|FUNCTION|TRIGGER|EVENT)\b/i', '/\bALTER\s+(PROCEDURE|FUNCTION|TRIGGER|EVENT)\b/i', '/\bCALL\s+/i', // Variables and configuration '/\bSET\s+(GLOBAL|SESSION|@@)/i', // Subqueries that could exfiltrate data '/\bSELECT\b.*\bFROM\b(?!.*\bINSERT\s+INTO\b)/is', // Comments that could hide malicious code '/\/\*[^*]*\*+([^\/*][^*]*\*+)*\//i', // Note: Multi-statement detection (semicolon check) removed because it causes // false positives on semicolons in string literals. Statement type validation // already prevents injection of dangerous statements. // Hex strings that could encode malicious queries '/0x[0-9a-fA-F]{20,}/i', // Sleep/benchmark (DoS attacks) '/\bSLEEP\s*\(/i', '/\bBENCHMARK\s*\(/i', // Information schema access '/\bINFORMATION_SCHEMA\b/i', '/\bMYSQL\./i', '/\bPERFORMANCE_SCHEMA\b/i', ]

Properties

$errors

Validation errors collected during validation.

private array<string|int, string> $errors = []

Methods

getAllowedTables()

Get the list of allowed tables.

public static getAllowedTables() : array<string|int, string>
Return values
array<string|int, string>

Array of allowed table names

getErrors()

Get validation errors.

public getErrors() : array<string|int, string>
Return values
array<string|int, string>

Array of error messages

getFirstError()

Get the first error message.

public getFirstError() : string|null
Return values
string|null

First error or null if no errors

validate()

Validate a single SQL statement.

public validate(string $sql) : bool
Parameters
$sql : string

The SQL statement to validate

Return values
bool

True if valid, false otherwise

validateAll()

Validate multiple SQL statements.

public validateAll(array<string|int, string> $statements) : bool
Parameters
$statements : array<string|int, string>

Array of SQL statements

Return values
bool

True if all valid, false otherwise

isAllowedTable()

Check if a table name is in the allowed list.

private isAllowedTable(string $tableName) : bool
Parameters
$tableName : string

The table name to check

Return values
bool

True if allowed

validateCreateTable()

Validate CREATE TABLE statement.

private validateCreateTable(string $sql) : bool
Parameters
$sql : string

The SQL statement

Return values
bool

True if valid

validateDropTable()

Validate DROP TABLE statement.

private validateDropTable(string $sql) : bool
Parameters
$sql : string

The SQL statement

Return values
bool

True if valid

validateInsert()

Validate INSERT statement.

private validateInsert(string $sql) : bool
Parameters
$sql : string

The SQL statement

Return values
bool

True if valid


        

        
    




    

    

                                

                

                                
    

        On this page

        
    


                

                            

            

    

        

            
Search results