Flag SQL-injection metacharacters in input

Challenge

Your job

Implement:

int has_sqli_markers(const char *input);

Return 1 if input contains any of:

• a single quote (')
• the SQL line-comment marker --
• the SQL block-comment opener /*
• a statement terminator ;
• the case-insensitive substring UNION SELECT

Otherwise return 0. input == NULL → 0 (nothing to flag).

Rules

• Pure string detection. Don't sanitise, don't escape. The proper cure is prepared statements; this function is a layer.
• Case-insensitive match for UNION SELECT only. Other tokens are exact.

Hints

1. (concept) The tokens are short and disjoint. One pass over the input checking each one is fine.
2. (direction) strchr for single-char tokens, strstr for the multi-char ones. For the UNION SELECT case-insensitive match, build a small lowercased copy or use a custom case-folding strstr.
3. (common bug) -- is a substring of any line that contains two consecutive minuses. That's fine — the function is a flagger, not a parser.

Why this matters

A metacharacter detector on the input layer adds defence in depth above prepared statements.

Input format

A NUL-terminated string (may be NULL).

Output format

0 or 1.

Constraints

No allocation needed beyond a small stack buffer for case folding.

Starter code

#include <stddef.h>

int has_sqli_markers(const char *input) {
    /* TODO */
    (void)input;
    return 0;
}

Common mistakes

Returning a count instead of a boolean. Forgetting NULL input. Case-sensitive match for UNION SELECT.

Edge cases to handle

NULL input. Empty string. Input with quotes inside legitimate text (e.g. O'Brien) — still flagged because this is a flagger, not a smart parser.

Complexity

O(n) per substring check; bounded constant number of checks.

Background lessons

• Detect SQL-injection metacharacters in user input

Up next

• Render a finding struct as Markdown