I know, the best way to prevent SQL-injection is parameterised queries. But this is not possible in the specific usecase because the client has to be able to input sql statements directly.
So what my client did was to use a blacklist, which could be easily circumventented (e.g. use ‘DEL’+’ETE’ instead of DELETE to prevent detection).
Would SQL injection still be possible if the user input is parsed by a parser first? The user inputs an SQL string, and if there’s a blacklisted keyword, it gets omitted. If the input has something like ‘DEL’+’ETE’ in it, the parser would parse it to DELETE (which is blacklisted) and the request would be omitted.
Is there a way around this? How could injection still be possible? The parser that is used has no known vulnerabilities itself.
The only thing that google lead me to was Parse-Tree validation, which is also not possible because the user supplied queries can have different parse-trees each time.
Thank you for your help.