Hello and welcome to our community! Is this your first visit?
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 2 of 2
  1. #1
    New to the CF scene
    Join Date
    Dec 2017

    Python code for SQL injection detection

    I have a code for url malicious detection, but i want this code rewritten for SQL injection detection, pls can any one in the house help. The code is here below, thanks

    import pandas as pd
    import numpy as np
    import random

    from sklearn.feature_extraction.text import TfidfVectorizer
    from sklearn.linear_model import LogisticRegression
    from sklearn.model_selection import train_test_split

    urls_data = pd.read_csv("data.csv")
    def makeTokens(f):
    tkns_BySlash = str(f.encode('utf-8')).split('/')
    total_Tokens = []
    for i in tkns_BySlash:
    tokens = str(i).split('-')
    tkns_ByDot = []
    for j in range(0, len(tokens)):
    temp_Tokens = str(tokens[j]).split('.')
    tkns_ByDot = tkns_ByDot + temp_Tokens
    total_Tokens = total_Tokens + tokens + tkns_ByDot
    total_Tokens = list(set(total_Tokens))
    if 'com' in total_Tokens:
    return total_Tokens
    y = urls_data["label"]
    url_list = urls_data["url"]
    vectorizer = TfidfVectorizer(tokenizer=makeTokens)
    x = vectorizer.fit_transform(url_list)
    x_train, x_test, y_train, y_test = train_test_split(x, y, test_size=0.2, random_state=42)
    logit = LogisticRegression()
    logit.fit(x_train, y_train)
    print ("Accuracy ", logit.score(x_test, y_test))
    x_predict = ["http://www.psn.com.pk/",
    x_predict = vectorizer.transform(x_predict)
    New_predict = logit.predict(x_predict)

  2. #2
    Senior Coder deathshadow's Avatar
    Join Date
    Feb 2016
    Keene, NH
    Generally such detections result in too many false positives -- and realistically if your interface to SQL is worth a damned (like PDO or mysqli in PHP) and you are practicing separation of query from data (aka prepare/execute) there is no longer even such a thing AS a SQL injection.

    Should never even have existed in the first place, but PHP was a bit "special" in its early days. In the same way some Olympics are "special". There's a reason we were told for over a decade to stop using mysql_ and to STOP slopping variables into query strings.

    Which of course is why a decade of being told to stop that and six years of giant red warning boxes in the manual telling people to stop using mysql_, PHP programmers STILL ended up running around like chickens with their heads cut off when PHP 5.6 and 7 dropped.

    Or does Python still have its head wedged up 2007's backside with no prepare/execute and auto-sanitization methodology? Or are you doing something foolhardy like hosting on IIS?
    I would rather have questions that can't be answered, than answers that can't be questioned.


Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts