C# 雇员)x。。虽然它并不完美,但工作完美,关于行数列,我们必须隐藏它。 private bool ValidateDatasourceQuery(String datasourceQuery) { bool result =
雇员)x。。虽然它并不完美,但工作完美,关于行数列,我们必须隐藏它。C# 雇员)x。。虽然它并不完美,但工作完美,关于行数列,我们必须隐藏它。 private bool ValidateDatasourceQuery(String datasourceQuery) { bool result = ,c#,sql,security,C#,Sql,Security,雇员)x。。虽然它并不完美,但工作完美,关于行数列,我们必须隐藏它。 private bool ValidateDatasourceQuery(String datasourceQuery) { bool result = false; try { bool isValid = true; String query = datasourceQuery.Trim().ToLower(
private bool ValidateDatasourceQuery(String datasourceQuery)
{
bool result = false;
try
{
bool isValid = true;
String query = datasourceQuery.Trim().ToLower();
if (query.Substring(0, 6) != "select") { isValid = false; }
if (query.Contains("delete ") || query.Contains(" delete")) { isValid = false; }
if (query.Contains("exec ") || query.Contains(" exec")) { isValid = false; }
if (query.Contains("insert ") || query.Contains(" insert")) { isValid = false; }
if (query.Contains("update ") || query.Contains(" update")) { isValid = false; }
if (query.Contains("alter ") || query.Contains(" alter")) { isValid = false; }
if (query.Contains("create ") || query.Contains(" create")) { isValid = false; }
if (query.Contains("drop ") || query.Contains(" drop")) { isValid = false; }
if (query.Contains("truncate table ") || query.Contains(" truncate table")) { isValid = false; }
result = isValid;
}
catch (Exception exception) { GUC_Utilities.TraceError(exception); }
return result;
}
//execute command
SqlCommand sqlCommand = new SqlCommand(sql, sqlConnection);
SqlDataReader sqlDataReader = sqlCommand.ExecuteReader();
dataTable.Load(sqlDataReader);
public static bool ValidateQuery(string query)
{
return !ValidateRegex("delete", query) && !ValidateRegex("exec", query) && !ValidateRegex("insert", query) && !ValidateRegex("alter", query) &&
!ValidateRegex("create", query) && !ValidateRegex("drop", query) && !ValidateRegex("truncate", query);
}
public static bool ValidateRegex(string term, string query)
{
// this regex finds all keywords {0} that are not leading or trailing by alphanumeric
return new Regex(string.Format("([^0-9a-z]{0}[^0-9a-z])|(^{0}[^0-9a-z])", term), RegexOptions.IgnoreCase).IsMatch(query);
}
public static bool IsDbAffected(string query, string conn, List<SqlParameter> parameters = null)
{
var response = false;
using (var sqlConnection = new SqlConnection(conn))
{
sqlConnection.Open();
using (var transaction = sqlConnection.BeginTransaction("Test Transaction"))
using (var command = new SqlCommand(query, sqlConnection, transaction))
{
command.Connection = sqlConnection;
command.CommandType = CommandType.Text;
command.CommandText = query;
if (parameters != null)
command.Parameters.AddRange(parameters.ToArray());
// ExecuteNonQuery() does not return data at all: only the number of rows affected by an insert, update, or delete.
if (command.ExecuteNonQuery() > 0)
{
transaction.Rollback("Test Transaction");
response = true;
}
transaction.Dispose();
command.Dispose();
}
}
return response;
}