As you all know, Hiawatha has the ability to detect and block SQL injection attacks. It does so by matching user input with several regular expression patterns, which can be found at the top of src/session.c. I've always said that there is no 100% guarantee that all SQL injections are detected, hoping that someone would pick up the challenge and provide me with SQL injections that would bypass Hiawatha's filter. Unfortunately, no one did.
For the 9.7 release, I want to further improve Hiawatha's SQL injection detection capability. I've already made some improvements. Not only to the patterns itself, but to the entire approach. I've already seen that the filter can easily be bypassed by using the /* */ comment syntax, so those are stripped first. What I need is someone with good knowledge of SQL injection and regular expressions to pick up the challenge to provide me with a set of regular expressions that block SQL injections without false positives.
To make this all more easy, I've created a PreventSQLi test page. What this page does is strip the /* */ style comments, match it with the detection patterns and if no match was found, execute the query in a sandbox.
If you have good hacking skills or you know someone who does, please help to make Hiawatha an even more secure webserver.
To be clear, the PreventSQLi feature was never intended as a replacement for writing safe code. It's only purpose is to reduce the risk of being hacked while you wait for a patch for a vulnerable application when taking the application offline is not a real option. Nothing more than that.