Expand description
SQL-injection heuristic scanner.
Pattern-based detection — purposefully shallow. This is not a parser. Reasons:
- The proxy already routes parsed queries; an attacker bypasses that by stuffing payloads into string literals. Pattern matching catches the literal-stuffing case the parser by definition cannot.
- The signal is “this looks like a known payload shape” — useful alongside a real WAF, not a substitute for one.
- False positives are surface area. Each pattern is documented with the payload class it targets so operators can mute the ones they don’t want.
Returned values are pattern labels, not the payload itself. Operators correlate against the SQL excerpt in the parent event.
Functions§
- scan
- Scan
sqland return the labels of every pattern that matched. Empty vec = clean.