コード例 #1
0
        //---------------------------------------------------------------------
        /// <summary>
        ///     Adds a SQL parameter to the SQL command object managed by this
        ///     class instance
        /// </summary>
        /// <param name="Name">Parameter name</param>
        /// <param name="Type">Parameter type</param>
        /// <param name="Size">Parameter size</param>
        /// <param name="Value">Parameter value</param>
        /// <param name="Direction">Parameter direction</param>
        /// <returns>
        ///     On success, returns the SqlParameter object added, null
        ///     otherwise
        /// </returns>
        //---------------------------------------------------------------------
        public TParameter AddParameter(String Name, SqlDbType Type, int Size,
                                       Object Value, ParameterDirection Direction)
        {
            // Convert the SqlDbType to a generic DbType
            DbType DbTypeToUse;

            if (!AntiSQLiCommon.ConvertToDbType(Type, out DbTypeToUse))
            {
                return(default(TParameter));
            }

            // Add the parameter
            try
            {
                // Set the name, type and size
                //SqlParameter CurrentParameter = new SqlParameter(Name, Type, Size);
                TParameter CurrentParameter = new TParameter();
                CurrentParameter.ParameterName = Name;
                CurrentParameter.DbType        = DbTypeToUse;
                CurrentParameter.Size          = Size;

                // Set direction
                CurrentParameter.Direction = Direction;

                // Set value, only if it's an input or inputoutput parameter
                if ((Direction == ParameterDirection.Input) ||
                    (Direction == ParameterDirection.InputOutput))
                {
                    CurrentParameter.Value = Value;
                }

                // Add the parameter to the main sql command object
                SqlCommandObject.Parameters.Add(CurrentParameter);

                // Return the current parameter object in case the
                // caller wants reference to it
                return(CurrentParameter);
            }
            catch (Exception)
            {
                return(default(TParameter));
            }
        }
コード例 #2
0
        //---------------------------------------------------------------------
        /// <summary>
        ///     Creates and parameterizes an instance of Microsoft.Azure.Cosmos.QueryDefinition
        ///     using the given queryText and args to mitigate risk from SQLi attacks
        /// </summary>
        /// <param name="queryText">Query text to use</param>
        /// <param name="args">Arguments to map and parameterize</param>
        /// <returns>
        ///     Returns a QueryDefinition instance that is been instantiated
        ///     with the given queryText and parameterized
        /// </returns>
        //---------------------------------------------------------------------
        public static QueryDefinition Create(String queryText, params Object[] args)
        {
            // Input validation
            AntiSQLiCommon.ValidateQueryTextAndArgsThrowEx(queryText, args);

            // Parameterize given arguments
            IEnumerable <Documents.SqlParameter> parsedParameters;

            if (!AntiSQLiCommon.TryConvertObjectsToDbParameterCollection(out parsedParameters, args))
            {
                throw new AntiSQLiException(Resources.AntiSQLiResource.Error_UnableToParseArguments);
            }

            // If no parameters parsed, then stop execution, may not be safe to continue
            if (parsedParameters.Count() == 0)
            {
                throw new AntiSQLiException(Resources.AntiSQLiResource.Error_NoParametersParsed);
            }

            // Substitute the queryText formatters (i.e. {0} .. {N}) with the
            // proper parameter names (i.e., @AntiSQLiParam1 ... @AntiSQLiParamN,
            // where N is the number of elements in the args params
            String parameterizedQueryText;

            if (!AntiSQLiCommon.TryParameterizeQueryText(queryText, parsedParameters, out parameterizedQueryText))
            {
                throw new AntiSQLiException(Resources.AntiSQLiResource.Error_UnableToParameterizeQuery);
            }

            // Create final QueryDefinition object and add parameters
            QueryDefinition finalQueryDefinition = new QueryDefinition(parameterizedQueryText);

            foreach (var p in parsedParameters)
            {
                finalQueryDefinition = finalQueryDefinition.WithParameter(p.Name, p.Value);
            }
            return(finalQueryDefinition);
        }
コード例 #3
0
 /// <summary>
 ///     For Microsoft.Azure.Documents.SqlQuerySpec https://docs.microsoft.com/fr-fr/dotnet/api/microsoft.azure.documents.sqlqueryspec?view=azure-dotnet
 /// </summary>
 /// <param name="sqs"></param>
 /// <param name="queryText"></param>
 /// <param name="queryTextArgs"></param>
 public static void LoadQuerySecure(this SqlQuerySpec sqs, String queryText, params Object[] queryTextArgs)
 {
     AntiSQLiCommon.ParameterizeAndLoadQuery(sqs, queryText, queryTextArgs);
 }
コード例 #4
0
 //---------------------------------------------------------------------
 /// <summary>
 ///     Extension to System.Data.SqlClient to load query with untrusted
 ///     data provided in args parameters safely to mitigate the risk from
 ///     SQL injection attacks
 /// </summary>
 /// <param name="cmd"></param>
 /// <param name="queryText">Query string to execute</param>
 /// <param name="queryTextArgs">Parameters</param>
 //---------------------------------------------------------------------
 public static void LoadQuerySecure(this System.Data.SqlClient.SqlCommand sqlCommandObj, String queryText, params Object[] queryTextArgs)
 {
     AntiSQLiCommon.ParameterizeAndLoadQuery <System.Data.SqlClient.SqlParameter>(sqlCommandObj, queryText, queryTextArgs);
 }