public void TestSqlInjectionProtection()
{
string suspectQuery = "RNAME = '{0}'";
var tests = new[]
{
new { sql = "a'; DROP TABLE Parcels; SELECT * FROM Parcels WHERE '1' = '1", testTokens = new string[] { "DROP", ";" } },
new { sql = "b'; DELETE FROM Parcels; SELECT * FROM Parcels WHERE '1' = '1", testTokens = new string[] { "DELETE", ";" } },
new { sql = "c'; UPDATE Parcels SET RNAME = ''; SELECT * FROM Parcels WHERE '1' = '1", testTokens = new string[] { "UPDATE", "SET", ";" } }
};
int testNo = 1;
foreach (var t in tests)
{
try
{
string origFilter = string.Format(suspectQuery, t.sql);
FdoFilter filter = FdoFilter.Parse(origFilter);
string filterStr = filter.ToString();
Console.WriteLine("Test {0}: Drop table attempt\n Original: {1}\n Parsed: {2}", testNo, origFilter, filterStr);
Assert.False(t.testTokens.Any(tok => filterStr.ToUpper().Contains(tok.ToUpper())));
}
catch (ManagedFdoException ex)
{
Console.WriteLine("Test {0}: Drop table attempt - {1}", testNo, ex.Message);
}
testNo++;
}
}
// parse an FDO Filter
void ParseFilter <T>(string pwzFilter, string pwzResult = null, Type expectedType = null) where T : FdoFilter
{
// get root node of expression parse tree
FdoFilter pFilter = FdoFilter.Parse(pwzFilter);
Assert.NotNull(pFilter);
// output back to string if successful
string pwzOut = pFilter.ToString();
Assert.NotNull(pwzOut);
if (pwzResult == null)
{
Assert.Equal(pwzOut, pwzFilter); //, "Parse/ToString do not match!\n\t<{0}> should be <{1}>\n", pwzOut, pwzFilter);
}
else
{
Assert.Equal(pwzOut, pwzResult); //, "Parse/ToString do not match!\n\t<{0}> should be <{1}>\n", pwzOut, pwzResult);
}
Assert.IsAssignableFrom <T>(pFilter);
}
