To prevent SQL-injection in user-defined formulae, is character whitelisting enough?

sql-injection

No, using a regular expression like the one you show would not protect against unauthorized expressions.

The example of allowing a user to write an expression and executing a query including that expression is SQL injection, by definition.

The way to prevent SQL injection is never to copy the user's input into SQL syntax at all. But that means users cannot execute their custom expressions verbatim.

Here's how one might provide custom functions safely: allow a user to submit an expression for your review. You would vet it, and if you determine it is safe, you can store that expression as an option they can choose in the future. For example, your UI would present a list of approved expressions, and they would choose one by its id. Then on the server-side, your could would look up the expression they specified in their request, and use that in an SQL query. Thus the dynamic part of the query could only be content that you had previously reviewed, not their literal input.

Related

Use an existing EBS volume with the Docker REX-Ray plugin on ECS
Switch button - disable swipe function
Angular / Firebase / Firestore - How to import firebase to use `serverTimestamp`
Jelastic: any plan to create an official Terraform provider?
Is it possible to use Firebase Realtime Database to implement a distributed mutex?
Passing Interface props in functional component in Typescript
How do I configure a GitHub Actions workflow so it does not run on a tag push?
Which code does the mainloop() processes infinitely until any event occurs?
"Stack Overflow" error when checking for prime numbers
How to keep system apps from being removed during device provisioning via Android Management API
ModuleNotFoundError: No module named 'rest_framework' I already installed djangorestframework
Why is this recursive python funcntion returning None? [duplicate]