/// <summary> /// OWASP TOP 10 - A1 - Geen SQL injection door het gebruik van parameters en een whitelist /// </summary> /// <param name="user"></param> public static string addSession(String user,String clientip) { var positiveIntRegex = new Regex(@"^\w+$"); if (!positiveIntRegex.IsMatch(user)) { return null; } string constr = Settings.Default.UserDbConnectionString; SqlConnection con = new SqlConnection(constr); SqlCommand command = new SqlCommand(); command.Connection = con; command.CommandText = "SELECT UserType FROM Users Where Name = @UserName"; command.CommandType = CommandType.Text; command.Parameters.AddWithValue(@"UserName",user); con.Open(); string type = ""; if (command.ExecuteScalar() != null) type = command.ExecuteScalar().ToString(); con.Close(); Session s = new Session(generateSessionId(),type,user,clientip); sessionList.Add(s); return s.SessionId; }
/// <summary> /// Dat pro code /// </summary> /// <param name="sessionId">the session id from the cookie</param> public static void deleteSession(Session s) { sessionList.RemoveAll(x => x.Equals(s)); }