Achim,
On Thu, Apr 30, 2009 at 3:02 PM, Achim Hoffmann <a...@securenet.de> wrote:
> On Thu, 30 Apr 2009, Andres Riancho wrote:
>
> !! Achim,
> !!
> !! On Thu, Apr 30, 2009 at 5:26 AM, Achim Hoffmann <a...@securenet.de> wrote:
> !! > How about following enhancements.
> !! >
> !! > why do we need spaces there?
> !! > id=42
> !! > should be good enough for any DB
> !!
> !! hehe, yes, good finding, it was stupid to request that to the user.
> !! When I tried to fix it, I saw:
> !!
> !! #FIXME: This re is buggy
> !! self._match = re.match('^(?:((?:id|uri)) (=|>|>=|<=|<|<>|like)
> ([\w\'\" /:\.]+)( (and|or) )?)*$', text )
> !!
> !! (The comment was added by me months ago)
> !! Which... makes sense =)
> !! Could you please help me fix this regular expression? It is in the
> !! reqResDBHandler.py file.
>
> ok, just a suggestion out of my fingertips:
>
> self._match =
> re.match('^(?:((?:id|uri))\s*((?:[<>]?=|<|>|<>|like)\s+([\w\'\"
> /:.]+)(\s+(and|or)\s+)?)*$',text)
Nice regex, have you tested it?
> (Note: not sure if the \ infront of " is really necessary)
hmmm, not sure either. Maybe it could be removed.
> Keep in mind that (my experiance):
> id like 42
> is the same as
> id=42
> so the regex at all is a lazy aproach in this context.
Well... but the regex doesn't have to be PERFECT. We just need to let
the user know what is expected. If he decides to to a "id like 42" of
"id=42" then it's his problem.
> !! > Also, is it possible to use regex there?
> !! > At least simple regex would be more intuitive than SQLish like (at least
> to me:)
> !! > id=4[23]
> !! > id=4[2-4]
> !! > url/(foo|bar).html?/
> !!
> !! hmmm, It seems to be something supported by the sqlite module [0],
> !! maybe if you modify the regular expression a little bit to let
> !! something like this "SELECT * FROM Foo WHERE Foo.Name REGEXP '$bar'"
> !! be valid, then we could test it.
> !!
> !! [0] http://www.sqlite.org/lang_expr.html
>
> "expr" and "expression" here has nothing to do with regex, correct me if I'm
> wrong.
> Using regex in w3af here would be a feature, additional to learn SQL syntax
> (which is already broken, somehow, due to the match see above).
>
> If others are with me that regex make sense in w3af's search, then I'll have
> a look at the source and try to implement it.
After searching a little bit I found that this works:
import sqlite3 as sqlite
import re
connection = sqlite.connect(':memory:')
cursor = connection.cursor()
cursor.execute('CREATE TABLE names (id INTEGER PRIMARY KEY, name
VARCHAR(50), email VARCHAR(50))')
cursor.execute('INSERT INTO names VALUES (null, "John Doe","j...@jdoe.zz")')
cursor.execute('INSERT INTO names VALUES (null, "Mary Sue", "m...@msue.yy")')
cursor.execute('SELECT * FROM names')
print cursor.fetchall()
def regexp(expr, item):
reg = re.compile(expr)
return reg.match(item) is not None
connection.create_function("REGEXP", 2, regexp)
cursor.execute("SELECT * FROM names where REGEXP('Mary.*', name)")
print cursor.fetchall()
Would you like to add it to the framework?
> Achim
--
Andrés Riancho
http://www.bonsai-sec.com/
http://w3af.sourceforge.net/
------------------------------------------------------------------------------
Register Now & Save for Velocity, the Web Performance & Operations
Conference from O'Reilly Media. Velocity features a full day of
expert-led, hands-on workshops and two days of sessions from industry
leaders in dedicated Performance & Operations tracks. Use code vel09scf
and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
