Fatal编程技术网
  • csharp/
  • C# 雇员)x。。虽然它并不完美,但工作完美,关于行数列,我们必须隐藏它。 private bool ValidateDatasourceQuery(String datasourceQuery) { bool result =

C# 雇员)x。。虽然它并不完美,但工作完美,关于行数列,我们必须隐藏它。 private bool ValidateDatasourceQuery(String datasourceQuery) { bool result =

c# sql security

C# 雇员)x。。虽然它并不完美,但工作完美,关于行数列,我们必须隐藏它。 private bool ValidateDatasourceQuery(String datasourceQuery) { bool result = ,c#,sql,security,C#,Sql,Security,雇员)x。。虽然它并不完美,但工作完美,关于行数列,我们必须隐藏它。 private bool ValidateDatasourceQuery(String datasourceQuery) { bool result = false; try { bool isValid = true; String query = datasourceQuery.Trim().ToLower(

雇员)x。。虽然它并不完美,但工作完美,关于行数列,我们必须隐藏它。 
    private bool ValidateDatasourceQuery(String datasourceQuery)
    {
        bool result = false;

        try
        {
            bool isValid = true;

            String query = datasourceQuery.Trim().ToLower();

            if (query.Substring(0, 6) != "select") { isValid = false; }

            if (query.Contains("delete ") || query.Contains(" delete")) { isValid = false; }
            if (query.Contains("exec ") || query.Contains(" exec")) { isValid = false; }
            if (query.Contains("insert ") || query.Contains(" insert")) { isValid = false; }
            if (query.Contains("update ") || query.Contains(" update")) { isValid = false; }

            if (query.Contains("alter ") || query.Contains(" alter")) { isValid = false; }
            if (query.Contains("create ") || query.Contains(" create")) { isValid = false; }
            if (query.Contains("drop ") || query.Contains(" drop")) { isValid = false; }
            if (query.Contains("truncate table ") || query.Contains(" truncate table")) { isValid = false; }

            result = isValid;
        }
        catch (Exception exception) { GUC_Utilities.TraceError(exception); }

        return result;
    }

                //execute command
                SqlCommand sqlCommand = new SqlCommand(sql, sqlConnection);
                SqlDataReader sqlDataReader = sqlCommand.ExecuteReader();
                dataTable.Load(sqlDataReader);

public static bool ValidateQuery(string query)
{
    return !ValidateRegex("delete", query) && !ValidateRegex("exec", query) && !ValidateRegex("insert", query) && !ValidateRegex("alter", query) &&
           !ValidateRegex("create", query) && !ValidateRegex("drop", query) && !ValidateRegex("truncate", query);
}
public static bool ValidateRegex(string term, string query)
{
    // this regex finds all keywords {0} that are not leading or trailing by alphanumeric 
    return new Regex(string.Format("([^0-9a-z]{0}[^0-9a-z])|(^{0}[^0-9a-z])", term), RegexOptions.IgnoreCase).IsMatch(query);
}

public static bool IsDbAffected(string query, string conn, List<SqlParameter> parameters = null)
{
    var response = false;
    using (var sqlConnection = new SqlConnection(conn))
    {
        sqlConnection.Open();
        using (var transaction = sqlConnection.BeginTransaction("Test Transaction"))
        using (var command = new SqlCommand(query, sqlConnection, transaction))
        {
            command.Connection = sqlConnection;
            command.CommandType = CommandType.Text;
            command.CommandText = query;
            if (parameters != null)
                command.Parameters.AddRange(parameters.ToArray());
            // ExecuteNonQuery() does not return data at all: only the number of rows affected by an insert, update, or delete.
            if (command.ExecuteNonQuery() > 0)
            {
                transaction.Rollback("Test Transaction");
                response = true;
            }
            transaction.Dispose();
            command.Dispose();
        }
    }
    return response;
}