private InjectionRequest GetInjectionRequest(HttpContext context, InjectionOptions options)
{
#if NET45
NameValueCollection form = context.Request.Form;
string formConnectionString = form["connectionstring"];
string sqlCommand = form["sqlcommand"];
bool isQuery = form["querytype"].Equals("isquery");
#elif (NETCOREAPP2_1 || NETCOREAPP3_0)
IFormCollection form = context.Request.ReadFormAsync().Result;
string formConnectionString = form["connectionstring"];
string sqlCommand = form["sqlcommand"];
bool isQuery = form["querytype"].ToString().Equals("isquery");
#endif
//Choose the connection string source (options overrides form, if available)
string connectionString = string.IsNullOrEmpty(options.ConnectionString) ? formConnectionString : options.ConnectionString;
//Create the injection
InjectionRequest injection = new InjectionRequest {
IsQuery = isQuery,
ConnectionString = connectionString,
SqlCommand = sqlCommand
};
Trace.WriteLine($"Injection is query: '{injection.IsQuery}', with command: '{injection.SqlCommand}'");
return(injection);
}
private void ApplyTo(HttpContext context)
{
if (IsGetRequest(context))
{
//serve the empty form
string responseContent = Rendering.GetResourceText("SqlSyringe.SyringeIndex.html");
responseContent = responseContent.Replace("{{CONNECTIONSTRING-INPUT-DISPLAY}}", _options.HasConnectionString ? "none" : "block");
ResponseWrite(context, responseContent);
}
else if (IsPostRequest(context))
{
try {
Trace.WriteLine("Processing the SQL Syringe query request");
if (string.IsNullOrEmpty(context.Request.ContentType))
{
throw new ArgumentException("HTTP request form has no content type.");
}
InjectionRequest injection = GetInjectionRequest(context, _options);
Needle needle = new Needle(injection.ConnectionString);
//Apply the input
if (injection.IsQuery)
{
//Read and serve data
DataTable data = needle.Retrieve(injection.SqlCommand);
string htmlData = Rendering.GetHtmlTableFrom(data);
ResponseWrite(context, Rendering.GetContentWith(htmlData));
}
else
{
//Execute and serve row count
int affectedRowCount = needle.Inject(injection.SqlCommand);
ResponseWrite(context, Rendering.GetContentWith(Rendering.GetContentWith($"Number of Rows affected: {affectedRowCount}")));
}
} catch (ThreadAbortException) {
//do swallow these because the exception flow should end here, after one of the ResponseWrite has ended the response.
} catch (Exception ex) {
//serve the output with the Exception message
string responseContent = Rendering.GetResourceText("SqlSyringe.SyringeResult.html");
responseContent = responseContent.Replace("{{OUTPUT}}", ex.Message);
ResponseWrite(context, responseContent);
}
}
}
