cybersecurity · intermediate · ~15 min
Recognise common signs of SQL injection attempts in user-supplied data — as a logging/alerting heuristic, not a sanitiser.
Implement int contains_sql_special(const char *s) returning 1 if s contains any of the characters or sequences ', ", ;, --, or /*. Otherwise return 0.
This is a teaching aid, not a defence. Real protection against SQL injection is parameterised queries / prepared statements — never building a query string by concatenation. See the explanation for why.
Detecting SQL-special characters in user input is a (toy, defensive) first step toward understanding SQL injection. In real code you'd use parameterised queries, not blacklists — but the detection skill matters for audits.
int contains_sql_special(const char *s) {
/* TODO */
return 0;
}
Treating ' (single quote) but missing -- (comment), ; (statement separator), or \ (escape). Black-listing alone is unsafe in production — always parameterise.
Empty input. Unicode escape sequences. Comment style --.
O(strlen).
Solve this exercise in the browser editor — compile and run against the test harness, no setup required.