We Keep Coding

Regex validation of table schema and name

I have an API that performs some query on a table that the caller specifies. The table name is placed in the query via string replace, and so is a risk for SQL injection.
Example:
tableName = req.body.tableName;
sql = "SELECT * FROM <<TABLE_NAME>>;";
sql = sql.replace("<<TABLE_NAME>>", tableName);
I'm required to keep this query dynamic, as we don't want to redeploy this code every time we add a new table. In other words, I can't just maintain a list of valid table names.
So for the purposes of keeping this safe from sql injection, is it sufficient to do a regex validation on the table name? We can be certain the table name will always be of the format schema.table_name where table_name will be only a-z, 0-9, -, _
Is there any sql injection that could slip past this table name regex?
^myschema\.[a-zA-Z0-9-_]+$

Since minus is not a valid character in a tablename, you could change your regex to just:
^myschema\.\w+$
\w is equivalent to [a-zA-Z0-9_]
There is no risk of injection.
Most databases allow special characters, even spaces and minuses, in table names if special syntax is used, eg
MySQL: `my stupid table-name!`
Postgres: "my stupid table-name!"
SQL Server: [my stupid table-name!]
It is poor practice to allow non-standard characters in names in the first place, and it would be fine to deny such names in your situation.

The minus sign cannot be used as an identifier in SQL. In the case of table names, I don't think it will lead to SQL injection attacks, but if you allow minus signs in column names, subtraction can be injected.
In the case of MySQL, the following SQL statement will return all users, not just 'tom'. This is because of the implicit type conversion that occurs when subtracting from a string.
SELECT * FROM users WHERE myschema.user-0 = 'tom'
The workaround is to exclude the minus sign or quote the identifier. The following will not result in a SQL injection attack.
SELECT * FROM users WHERE `myschema`.`user-0` = 'tom'.
The above is the way to write for MySQL, and the way to write for standard SQL is as follows
SELECT * FROM users WHERE "myschema"."user-0" = 'tom'

How do I deal with SQL tablenames with hyphen (-) when writing raw queries? i.e project-users

I have a table called project-users and want to write a SQL query like SELECT * FROM project-users I get this error ERROR: syntax error at or near "-".
I cannot change the table name at this point.

According to http://www.postgresql.org/docs/9.0/static/sql-syntax-lexical.html, you should use double quotes.
In your case, for PostgreSQL the query should be:
SELECT * FROM "project-users";
It is good practice to avoid the use of characters that need escaping or that contain spaces in identifiers.

select subset of column in IBM DB2

I am not being able to perform select query on a subset of columns of a database in IBM DB2.
select * from user
This works. But
select username from user
doesn't work. Here's the screenshot.

username is a reserved word. The "proper" solution would probably be to have a column name that isn't a reserved word, such as user_name. If changing the column name isn't an option, you could use double-quotes (") to escape it:
SELECT "username" FROM user

how to retrieve sql column includes special characters and alphabets

How to retrieve a column containing special characters including alphabets in SQL Query. i have a column like this 'abc%def'. i want to retrieve '%' based columns from that table.
Please help me in this regard.

Is abc%def the column name? or column value? Not sure what you are asking but if you mean your column name contains special character then you can escape them which would be different based on specific RDBMS you are using
SQL Server use []
select [abc%def] from tab
MySQL use backquote
select `abc%def` from tab
EDIT:
Try like below to fetch column value containing % character (Checked, it works in Ingres as well)
select * from tab where col like '%%%'

Others suggest that like '%%%' works in Ingres. So this is something special in Ingres. It does not work in other dbms.
In standard SQL you would have to declare an escape character. I think this should work in Ingres, too.
select * from mytable where str like '%!%%' escape '!';

Hibernate - Raw Query execution_KEY Words Issue in query?

The setup consists of Hibernate 3. Am trying to execute the raw query as it is. The setup works fine for other simple queries , db inserts & updates.
The query in issue is :
org.hibernate.hql.ast.QuerySyntaxException: unexpected token: ( near line 1, column 29 [
SELECT keyMain, value FROM (select distinct K.[key] as keyMain,
( SELECT value FROM com.trans.dto.Resources as L WHERE L.[key] = K.[key]
and L.lang_code = 'A11' ) as value from com.trans.dto.Resources as K )
as test order by keyMain ]
Resources is the table & has mapping setup in hibernate.cfg.xml
I was under a thought "KEY" is name of one of the column which can not be changed. How do i escape key words ?
If not 1, then is the multi selects in sub query.
Please advise. Any suggestion is of great help.

From here:
You can force Hibernate to quote an identifier in the generated SQL
by enclosing the table or column name in backticks in the mapping document.
Hibernate will use the correct quotation style for the SQL Dialect.
This is usually double quotes, but the SQL Server uses brackets and MySQL uses backticks.
So, try to escape your field with double quotes or with square parenthesis('[key]').