public void TestSqlInjectionProtection() { string suspectQuery = "RNAME = '{0}'"; var tests = new[] { new { sql = "a'; DROP TABLE Parcels; SELECT * FROM Parcels WHERE '1' = '1", testTokens = new string[] { "DROP", ";" } }, new { sql = "b'; DELETE FROM Parcels; SELECT * FROM Parcels WHERE '1' = '1", testTokens = new string[] { "DELETE", ";" } }, new { sql = "c'; UPDATE Parcels SET RNAME = ''; SELECT * FROM Parcels WHERE '1' = '1", testTokens = new string[] { "UPDATE", "SET", ";" } } }; int testNo = 1; foreach (var t in tests) { try { string origFilter = string.Format(suspectQuery, t.sql); FdoFilter filter = FdoFilter.Parse(origFilter); string filterStr = filter.ToString(); Console.WriteLine("Test {0}: Drop table attempt\n Original: {1}\n Parsed: {2}", testNo, origFilter, filterStr); Assert.False(t.testTokens.Any(tok => filterStr.ToUpper().Contains(tok.ToUpper()))); } catch (ManagedFdoException ex) { Console.WriteLine("Test {0}: Drop table attempt - {1}", testNo, ex.Message); } testNo++; } }
// parse an FDO Filter void ParseFilter <T>(string pwzFilter, string pwzResult = null, Type expectedType = null) where T : FdoFilter { // get root node of expression parse tree FdoFilter pFilter = FdoFilter.Parse(pwzFilter); Assert.NotNull(pFilter); // output back to string if successful string pwzOut = pFilter.ToString(); Assert.NotNull(pwzOut); if (pwzResult == null) { Assert.Equal(pwzOut, pwzFilter); //, "Parse/ToString do not match!\n\t<{0}> should be <{1}>\n", pwzOut, pwzFilter); } else { Assert.Equal(pwzOut, pwzResult); //, "Parse/ToString do not match!\n\t<{0}> should be <{1}>\n", pwzOut, pwzResult); } Assert.IsAssignableFrom <T>(pFilter); }