1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
# SQL Operator Alternatives
# Logical and equality operator variations across SQL dialects for WAF bypass
# Loaded at compile-time via include_str! — adding entries here = zero Rust changes
# ═══════════════════════════════════════════
# Logical OR alternatives
# ═══════════════════════════════════════════
#
# Audit (2026-05-10): `||` is logical OR ONLY in SQLite and Oracle. In
# MySQL / PostgreSQL / MSSQL with default settings it is the string
# concatenation operator, so swapping `OR` → `||` flips the meaning of
# the payload. Removed from the global pool; gate behind a per-dialect
# rule (sqlite/oracle only) when the engine learns dialect awareness.
[[]]
= "OR"
= "Standard SQL OR operator"
[[]]
= "oR"
= "Mixed case OR (bypass case-sensitive filters)"
[[]]
= "Or"
= "Mixed case Or (bypass case-sensitive filters)"
[[]]
= "OR/*bypass*/"
= "Comment-appended OR (breaks regex boundary)"
[[]]
= "/*!OR*/"
= "MySQL conditional comment OR"
[[]]
= "OR%0a"
= "OR with URL-encoded newline suffix"
# ═══════════════════════════════════════════
# Logical AND alternatives
# ═══════════════════════════════════════════
[[]]
= "AND"
= "Standard SQL AND operator"
[[]]
= "&&"
= "MySQL logical AND"
[[]]
= "aNd"
= "Mixed case AND (bypass case-sensitive filters)"
[[]]
= "AnD"
= "Mixed case AnD (bypass case-sensitive filters)"
[[]]
= "AND/*bypass*/"
= "Comment-appended AND (breaks regex boundary)"
[[]]
= "/*!AND*/"
= "MySQL conditional comment AND"
[[]]
= "%26%26"
= "URL-encoded double-ampersand (bypass filter)"
# ═══════════════════════════════════════════
# Equality alternatives
# ═══════════════════════════════════════════
[[]]
= "="
= "Standard equality operator"
[[]]
= " LIKE "
= "LIKE operator with spaces (string comparison)"
[[]]
= " REGEXP "
= "REGEXP operator (MySQL/PostgreSQL)"
[[]]
= " RLIKE "
= "RLIKE operator (MySQL)"
# Audit (2026-05-10): removed semantically-incorrect "equality" entries:
#
# IS only valid for NULL / boolean. `1 IS 1` is a syntax
# error outside MySQL strict-mode; using it as a `=` swap
# produces broken SQL the server rejects.
# NOT IN ( inverts truth AND requires a closing paren. The engine
# doesn't track parens, so the output has unbalanced
# syntax. The TOML comment even said "requires closing
# paren" but the code ignored it.
# BETWEEN needs a pair (`x BETWEEN low AND high`); naked use is a
# syntax error.
# DIV integer division, NOT comparison. `id DIV 1` is `id`,
# not `id = 1`.
# XOR bitwise/logical exclusive-or. `1 XOR 1` is FALSE — the
# OPPOSITE of what an equality swap intends.
#
# Kept: REGEXP, RLIKE, GLOB, SOUNDS LIKE — all real string-equality
# equivalents on at least one mainstream dialect.
[[]]
= " GLOB "
= "SQLite GLOB operator"
[[]]
= " SOUNDS LIKE "
= "MySQL phonetic comparison (bypasses string match filters)"