SQL Injection

Attacker-controlled SQL syntax in user input. Arcis sanitizes the request boundary as defense-in-depth; parameterized queries remain your primary defense.

What it catches

SQL keywords: SELECT, UNION, DROP, INSERT, UPDATE, DELETE
Comment syntax: --, /*, */, #
Boolean logic injection: OR 1=1, OR true, OR '1'='1'
Time-based blind: SLEEP, BENCHMARK, pg_sleep, WAITFOR DELAY
Oracle DBMS_* package calls: DBMS_LOCK, DBMS_PIPE, DBMS_OUTPUT, DBMS_SCHEDULER (v1.6)
Encoded variants via NFKC normalization and the multi-decode chain
Stacked queries (; followed by another keyword)

Sample payload

// Before
"admin' OR '1'='1' --"

// After (sanitize mode)
"admin"

// In block mode: 403, vector=sql, rule=patterns.sql.boolean-tautology

Configuration

app.use(arcis({
  block: true,
  sanitize: {
    sql: {
      enabled: true,
      includeTimingAttacks: true  // SLEEP / BENCHMARK / pg_sleep
    }
  }
}));

Disable or dry-run

// Skip SQL detection on a route that accepts a legitimate SQL string (admin console)
app.post('/admin/run-query', arcis({ sanitize: { sql: false } }), handler);

References

Defense-in-depth only. Arcis is not a replacement for parameterized queries. Always use an ORM or prepared statements as your primary defense. Pattern matching on the request boundary is the second line.

← PreviousXSS Next →NoSQL Injection