private InjectionRequest GetInjectionRequest(HttpContext context, InjectionOptions options) { #if NET45 NameValueCollection form = context.Request.Form; string formConnectionString = form["connectionstring"]; string sqlCommand = form["sqlcommand"]; bool isQuery = form["querytype"].Equals("isquery"); #elif (NETCOREAPP2_1 || NETCOREAPP3_0) IFormCollection form = context.Request.ReadFormAsync().Result; string formConnectionString = form["connectionstring"]; string sqlCommand = form["sqlcommand"]; bool isQuery = form["querytype"].ToString().Equals("isquery"); #endif //Choose the connection string source (options overrides form, if available) string connectionString = string.IsNullOrEmpty(options.ConnectionString) ? formConnectionString : options.ConnectionString; //Create the injection InjectionRequest injection = new InjectionRequest { IsQuery = isQuery, ConnectionString = connectionString, SqlCommand = sqlCommand }; Trace.WriteLine($"Injection is query: '{injection.IsQuery}', with command: '{injection.SqlCommand}'"); return(injection); }
private void ApplyTo(HttpContext context) { if (IsGetRequest(context)) { //serve the empty form string responseContent = Rendering.GetResourceText("SqlSyringe.SyringeIndex.html"); responseContent = responseContent.Replace("{{CONNECTIONSTRING-INPUT-DISPLAY}}", _options.HasConnectionString ? "none" : "block"); ResponseWrite(context, responseContent); } else if (IsPostRequest(context)) { try { Trace.WriteLine("Processing the SQL Syringe query request"); if (string.IsNullOrEmpty(context.Request.ContentType)) { throw new ArgumentException("HTTP request form has no content type."); } InjectionRequest injection = GetInjectionRequest(context, _options); Needle needle = new Needle(injection.ConnectionString); //Apply the input if (injection.IsQuery) { //Read and serve data DataTable data = needle.Retrieve(injection.SqlCommand); string htmlData = Rendering.GetHtmlTableFrom(data); ResponseWrite(context, Rendering.GetContentWith(htmlData)); } else { //Execute and serve row count int affectedRowCount = needle.Inject(injection.SqlCommand); ResponseWrite(context, Rendering.GetContentWith(Rendering.GetContentWith($"Number of Rows affected: {affectedRowCount}"))); } } catch (ThreadAbortException) { //do swallow these because the exception flow should end here, after one of the ResponseWrite has ended the response. } catch (Exception ex) { //serve the output with the Exception message string responseContent = Rendering.GetResourceText("SqlSyringe.SyringeResult.html"); responseContent = responseContent.Replace("{{OUTPUT}}", ex.Message); ResponseWrite(context, responseContent); } } }