Good day. I'm using the following regex to restrain users from adding "bad" stuff in a MySQL query.
$regex = "/\s+where(?:\s+([a-z]\w*\.?\w*)\s*=\s*(?!\1)\'?\w*\'?(?:\s*and)?)+\s*(?:order\s+by|limit|$)/uix";
Thing is, when trying the following query - it still matches:
$query = "UPDATE test set is_active = 1 where id = id ";
var_dump(preg_match($regex, $query));die;
//int(1)
What's even more strange, i've tried to test and debug this regex using online tools like this,this, and regexr.com, and everywhere the regex does not match the query. Am i missing some flag or setting or something?
edit: did not escape the \1 properly because was using double quotes. Thank you goldfish from the regex101 chat :)