Exemplo n.º 1
0
        public OrmLitePageResult <Announcement> SelectList(string title, int pageIndex, int pageSize)
        {
            StringBuilder sb = new StringBuilder();
            var           ps = DictBuilder.New();

            sb.Append("1=1");
            var orderBy = "id desc";

            title = SqlInjection.Filter(title);
            if (!string.IsNullOrEmpty(title))
            {
                sb.AppendFormat(" and Title like '%{0}%'", title);
            }

            var factor = new OrmLitePageFactor
            {
                Conditions = sb.ToString(),
                PageIndex  = pageIndex,
                PageSize   = pageSize,
                OrderBy    = orderBy,
                Params     = ps
            };

            return(announcementDao.SelectPage(factor));
        }
Exemplo n.º 2
0
        // <summary>
        // Get values for the giving account
        // </summary>
        public void GetValues(string token)
        {
            // MySQL query
            const string result = "SELECT id, voornaam, tussenvoegsel, achternaam, email, pepper " +
                                  "FROM meok2_bibliotheek_gebruikers";

            using (var empConnection = DatabaseConnection.DatabaseConnect())
            {
                using (var showresult = new MySqlCommand(result, empConnection))
                {
                    try
                    {
                        DatabaseConnection.DatabaseOpen(empConnection);
                        // Execute command
                        using (var reader = showresult.ExecuteReader(CommandBehavior.CloseConnection))
                        {
                            while (reader.Read())
                            {
                                // Check if the MD5 hash mathes
                                using (var md5Hash = MD5.Create())
                                {
                                    if (!Crypt.VerifyMd5Hash(md5Hash, reader.GetValue(4).ToString(), token))
                                    {
                                        continue;
                                    }
                                    // Save the values
                                    var id     = reader.GetValue(0).ToString();
                                    var pepper = reader.GetValue(5).ToString();

                                    if (id != "-1")
                                    {
                                        // Save values to the model
                                        Id        = Convert.ToInt16(id);
                                        Firstname =
                                            SqlInjection.SafeSqlLiteralRevert(
                                                Crypt.StringDecrypt(reader.GetValue(1).ToString(), pepper));
                                        Affix =
                                            SqlInjection.SafeSqlLiteralRevert(
                                                Crypt.StringDecrypt(reader.GetValue(2).ToString(), pepper));
                                        Lastname =
                                            SqlInjection.SafeSqlLiteralRevert(
                                                Crypt.StringDecrypt(reader.GetValue(3).ToString(), pepper));
                                        Mail   = SqlInjection.SafeSqlLiteralRevert(reader.GetValue(4).ToString());
                                        Pepper = pepper;
                                    }
                                }
                            }
                        }
                    }
                    catch (MySqlException)
                    {
                        // MySqlException bail out
                    }
                    finally
                    {
                        DatabaseConnection.DatabaseClose(empConnection);
                    }
                }
            }
        }
Exemplo n.º 3
0
        public List <MachinesInfo> GetMachines(string NWIP, string WWIP, string JQRT, string GLY, string ZG, PagerInfo info)
        {
            if (NWIP != null && SqlInjection.GetString(NWIP))
            {
                return(null);
            }

            if (WWIP != null && SqlInjection.GetString(WWIP))
            {
                return(null);
            }

            if (JQRT != null && SqlInjection.GetString(JQRT))
            {
                return(null);
            }

            if (GLY != null && SqlInjection.GetString(GLY))
            {
                return(null);
            }

            if (ZG != null && SqlInjection.GetString(ZG))
            {
                return(null);
            }

            if (machinesDal == null)
            {
                machinesDal = baseDal as IMachines;
            }

            return(machinesDal.GetMachines(NWIP, WWIP, JQRT, GLY, ZG, info));
        }
Exemplo n.º 4
0
        public Int32 GetMachinesCount(string NWIP, string WWIP, string JQRT, string GLY, string ZG)
        {
            if (NWIP != null && SqlInjection.GetString(NWIP))
            {
                return(-1);
            }

            if (WWIP != null && SqlInjection.GetString(WWIP))
            {
                return(-1);
            }

            if (JQRT != null && SqlInjection.GetString(JQRT))
            {
                return(-1);
            }

            if (GLY != null && SqlInjection.GetString(GLY))
            {
                return(-1);
            }

            if (ZG != null && SqlInjection.GetString(ZG))
            {
                return(-1);
            }

            if (machinesDal == null)
            {
                machinesDal = baseDal as IMachines;
            }

            return(machinesDal.GetMachinesCount(NWIP, WWIP, JQRT, GLY, ZG));
        }
Exemplo n.º 5
0
        /// <summary>
        /// 获取测试数据
        /// </summary>
        /// <param name="key"></param>
        /// <param name="PageSize"></param>
        /// <param name="CurrentCount"></param>
        /// <param name="TotalCount"></param>
        /// <returns></returns>
        public List <ArticleEntity> GetArticleList(string key, int PageSize, int CurrentCount, out int TotalCount)
        {
            string tabName  = string.Format("Article");
            string strWhere = " 1=1";

            if (!string.IsNullOrEmpty(key))
            {
                //SQL关键字过滤 包含关键字则不拼接SQL
                if (!SqlInjection.GetString(key))
                {
                    strWhere += string.Format(" AND (Title LIKE '%{0}%' OR Content LIKE '%{0}%')", key);
                }
            }
            string  Order             = string.Format("ID DESC");
            DataSet ds                = SqlHelper.GetList(SqlHelper.connStr, Order, PageSize, CurrentCount, tabName, strWhere, out TotalCount);
            List <ArticleEntity> list = new List <ArticleEntity>();

            if (ds != null && ds.Tables.Count > 0)
            {
                foreach (DataRow dr in ds.Tables[0].Rows)
                {
                    ArticleEntity model = new ArticleEntity();
                    model.ID      = Convert.ToInt32(dr["ID"]);
                    model.Title   = dr["Title"].ToString();
                    model.Content = dr["Content"].ToString();
                    list.Add(model);
                }
            }
            return(list);
        }
Exemplo n.º 6
0
        /// <summary>
        /// 分页查询
        /// </summary>
        /// <returns></returns>
        public ActionResult GetAllResumeInfo()
        {
            string strWhere = "1=1";
            string sort     = Request["sort"] == null ? "Id" : Request["sort"];
            string order    = Request["order"] == null ? "asc" : Request["order"];

            //首先获取前台传递过来的参数
            int pageindex = Request["page"] == null ? 1 : Convert.ToInt32(Request["page"]);
            int pagesize  = Request["rows"] == null ? 10 : Convert.ToInt32(Request["rows"]);

            if (!string.IsNullOrEmpty(Request["RealName"]) && !SqlInjection.GetString(Request["RealName"]))
            {
                strWhere += " and RealName like '%" + Request["RealName"] + "%'";
            }

            if (!string.IsNullOrEmpty(Request["IdCard"]) && !SqlInjection.GetString(Request["IdCard"]))
            {
                strWhere += " and IdCard like '%" + Request["IdCard"] + "%'";
            }

            int    totalCount; //输出参数
            string strJson    = bll.GetPager("Resume_Base", "Id,RealName,Sex,Nation,IdCard,PoliticalAffiliation,Education,Major,IsMarry,IsBred,Residence,ResidenceType,Address,FillingDate ", sort + " " + order, pagesize, pageindex, strWhere, out totalCount);
            var    jsonResult = new { total = totalCount.ToString(), rows = strJson };

            return(Content("{\"total\": " + totalCount.ToString() + ",\"rows\":" + strJson + "}"));
        }
Exemplo n.º 7
0
        /// <summary>
        /// 获取项目的节点详情
        /// </summary>
        /// <returns></returns>
        public ActionResult GetPMNodeInfo()
        {
            //首先获取前台传递过来的参数
            string strWhere    = "1=1";
            string view        = Request["view"] == null ? "PMMaintain" : Request["view"];
            string ProjectID   = Request["ProjectID"] == null ? "" : Request["ProjectID"];
            string ProjectNo   = Request["ProjectNo"] == null ? "" : Request["ProjectNo"];
            string ProjectName = Request["ProjectName"] == null ? "" : Request["ProjectName"];

            if (ProjectID.Trim() != "" && !SqlInjection.GetString(ProjectID))   //防止sql注入
            {
                strWhere += string.Format(" and ProjectID = '{0}'", ProjectID.Trim());
            }
            string content = "";

            try
            {
                string    sqlstr  = string.Format("select * from tbMgrNodeInfo where ProjectID='{0}'", ProjectID);
                DataTable dt      = AchieveCommon.SqlHelper.GetDataTable(SqlHelper.connStr, sqlstr);
                string    strJson = AchieveCommon.JsonHelper.ToJson(dt);
                content = "{\"success\": true ,\"rows\":" + strJson + "}";
            }
            catch (Exception ex)
            {
                return(Content("{\"msg\":\"获取数据失败," + ex.Message.Trim().Replace("\r", "").Replace("\n", "") + "\",\"success\":false}"));
            }

            return(Content(content));
        }
Exemplo n.º 8
0
        public OrmLitePageResult <TimedTask> SearchList(string name, bool?enable, int pageIndex, int pageSize)
        {
            var condition = "1=1";

            name = SqlInjection.Filter(name);
            if (!string.IsNullOrEmpty(name))
            {
                condition += " and Name like '%" + name + "%'";
            }

            if (enable != null)
            {
                condition += " and Enable=" + (enable.Value ? "1" : "0");
            }

            using (var db = Open())
            {
                return(db.SelectPage <TimedTask>(new OrmLitePageFactor
                {
                    PageIndex = pageIndex,
                    PageSize = pageSize,
                    OrderBy = "id desc",
                    Conditions = condition,
                }));
            }
        }
Exemplo n.º 9
0
        // <summary>
        // Select all users from database
        // </summary>
        public static List <String> AllUsers()
        {
            // Initial vars
            var list = new List <String>();

            // MySQL query
            const string result = "SELECT id, voornaam, tussenvoegsel, achternaam, pepper, email " +
                                  "FROM meok2_bibliotheek_gebruikers";

            using (var empConnection = DatabaseConnection.DatabaseConnect())
            {
                using (var showresult = new MySqlCommand(result, empConnection))
                {
                    try
                    {
                        DatabaseConnection.DatabaseOpen(empConnection);
                        // Execute command
                        using (var myDataReader = showresult.ExecuteReader(CommandBehavior.CloseConnection))
                        {
                            while (myDataReader.Read())
                            {
                                // Save the values
                                var id     = myDataReader.GetString(0);
                                var pepper = myDataReader.GetString(4);

                                var name =
                                    SqlInjection.SafeSqlLiteralRevert(Crypt.StringDecrypt(myDataReader.GetString(1),
                                                                                          pepper));
                                var affix    = myDataReader.GetString(2);
                                var lastname =
                                    SqlInjection.SafeSqlLiteralRevert(Crypt.StringDecrypt(myDataReader.GetString(3),
                                                                                          pepper));
                                var email = myDataReader.GetString(5);

                                if (!String.IsNullOrEmpty(affix))
                                {
                                    name = name + " " +
                                           SqlInjection.SafeSqlLiteralRevert(Crypt.StringDecrypt(affix, pepper));
                                }
                                name = name + " " + lastname;

                                list.Add(id);
                                list.Add(name);
                                list.Add(email);
                            }
                        }
                    }
                    catch (MySqlException)
                    {
                        // MySqlException bail out
                    }
                    finally
                    {
                        DatabaseConnection.DatabaseClose(empConnection);
                    }
                }
            }
            return(list);
        }
Exemplo n.º 10
0
        public ActionResult GetAllProduceInfo()
        {
            string strWhere = "1=1";
            string sort     = Request["sort"] == null ? "ID" : Request["sort"];
            string order    = Request["order"] == null ? "asc" : Request["order"];

            //首先获取前台传递过来的参数
            int    pageindex    = Request["page"] == null ? 1 : Convert.ToInt32(Request["page"]);
            int    pagesize     = Request["rows"] == null ? 10 : Convert.ToInt32(Request["rows"]);
            string userid       = Request["accountid"] == null ? "" : Request["accountid"];
            string username     = Request["username"] == null ? "" : Request["username"];
            string isable       = Request["isable"] == null ? "" : Request["isable"];
            string ifchangepwd  = Request["ifchangepwd"] == null ? "" : Request["ifchangepwd"];
            string userperson   = Request["userperson"] == null ? "" : Request["userperson"];
            string adddatestart = Request["adddatestart"] == null ? "" : Request["adddatestart"];
            string adddateend   = Request["adddateend"] == null ? "" : Request["adddateend"];

            if (userid.Trim() != "" && !SqlInjection.GetString(userid))   //防止sql注入
            {
                strWhere += string.Format(" and AccountName like '%{0}%'", userid.Trim());
            }
            if (username.Trim() != "" && !SqlInjection.GetString(username))
            {
                strWhere += string.Format(" and RealName like '%{0}%'", username.Trim());
            }
            if (isable.Trim() != "select" && isable.Trim() != "")
            {
                strWhere += " and IsAble = '" + isable.Trim() + "'";
            }
            if (ifchangepwd.Trim() != "select" && ifchangepwd.Trim() != "")
            {
                strWhere += " and IfChangePwd = '" + ifchangepwd.Trim() + "'";
            }
            if (adddatestart.Trim() != "")
            {
                strWhere += " and CreateTime > '" + adddatestart.Trim() + "'";
            }
            if (adddateend.Trim() != "")
            {
                strWhere += " and CreateTime < '" + adddateend.Trim() + "'";
            }

            int       totalCount; //输出参数
            DataTable dt = AchieveCommon.SqlPagerHelper.GetPagerK3("ICMO", "FBillNo,FStatus,FQty,FCommitQty,FPlanCommitDate,FPlanFinishDate,FStartDate,FFinishDate,FType,FWorkShop,FItemID", sort + " " + order, pagesize, pageindex, strWhere, out totalCount);

            dt.Columns.Add(new DataColumn("FModel"));
            dt.Columns.Add(new DataColumn("FName"));
            for (int i = 0; i < dt.Rows.Count; i++)
            {
                DataTable dticitemcore = GetFNameByFItemID(Convert.ToInt32(dt.Rows[i]["FItemID"]));
                dt.Rows[i]["FModel"] = AchieveCommon.JsonHelper.ColumnToJson(dticitemcore, 0);
                dt.Rows[i]["FName"]  = AchieveCommon.JsonHelper.ColumnToJson(dticitemcore, 1);
            }
            string strJson = AchieveCommon.JsonHelper.ToJson(dt);

            var jsonResult = new { total = totalCount.ToString(), rows = strJson };

            return(Content("{\"total\": " + totalCount.ToString() + ",\"rows\":" + strJson + "}"));
        }
        public void Replace(string input, string expected)
        {
            var manip  = new SqlInjection(12);
            var result = manip.Manipulate(input);

            Assert.NotNull(result);
            Assert.Equal(expected, result);
        }
Exemplo n.º 12
0
 public SqlInjection GetOrSetSqlInjection(Type entityType, SqlInjection sqlInjection = null)
 {
     if (!_sqlInjections.TryGetValue(entityType, out SqlInjection value) && sqlInjection != null)
     {
         value = sqlInjection;
         _sqlInjections[entityType] = value;
     }
     return(value);
 }
Exemplo n.º 13
0
        public ActionResult GetAllProduceInfo()
        {
            string strWhere = "1=1";
            string sort     = Request["sort"] == null ? "FPlanCommitDate" : Request["sort"];
            string order    = Request["order"] == null ? "desc" : Request["order"];

            //首先获取前台传递过来的参数
            int    pageindex       = Request["page"] == null ? 1 : Convert.ToInt32(Request["page"]);
            int    pagesize        = Request["rows"] == null ? 10 : Convert.ToInt32(Request["rows"]);
            string FBillNo         = Request["FBillNo"] == null ? "" : Request["FBillNo"];
            string FItemID         = Request["FItemID"] == null ? "" : Request["FItemID"];
            string isable          = Request["isable"] == null ? "" : Request["isable"];
            string ifchangepwd     = Request["ifchangepwd"] == null ? "" : Request["ifchangepwd"];
            string userperson      = Request["userperson"] == null ? "" : Request["userperson"];
            string FPlanCommitDate = Request["FPlanCommitDate"] == null ? "" : Request["FPlanCommitDate"];
            string FPlanFinishDate = Request["FPlanFinishDate"] == null ? "" : Request["FPlanFinishDate"];

            if (FBillNo.Trim() != "" && !SqlInjection.GetString(FBillNo))   //防止sql注入
            {
                strWhere += string.Format(" and FBillNo like '%{0}%'", FBillNo.Trim());
            }
            //FName为非主表字段,暂不支持直接查询;
            //后期解决思路,先根据FName在子表中查询对应的FItemID,可能有多个,则将这多个拼接成where条件;
            //例如  FItemID = id1 and FItemID = id2  and FItemID = id3...
            //if (FName.Trim() != "" && !SqlInjection.GetString(FName))
            //    strWhere += string.Format(" and FName like '%{0}%'", FName.Trim());
            if (FItemID.Trim() != "" && !SqlInjection.GetString(FItemID))
            {
                strWhere += string.Format(" and FItemID like '%{0}%'", FItemID.Trim());
            }
            if (isable.Trim() != "select" && isable.Trim() != "")
            {
                strWhere += " and IsAble = '" + isable.Trim() + "'";
            }
            if (ifchangepwd.Trim() != "select" && ifchangepwd.Trim() != "")
            {
                strWhere += " and IfChangePwd = '" + ifchangepwd.Trim() + "'";
            }
            if (FPlanCommitDate.Trim() != "")
            {
                strWhere += " and FPlanCommitDate > '" + FPlanCommitDate.Trim() + "'";
            }
            if (FPlanFinishDate.Trim() != "")
            {
                strWhere += " and FPlanFinishDate < '" + FPlanFinishDate.Trim() + "'";
            }

            //抽取主作业计划单,规则不包含-、_两种连接符
            strWhere += "and Fbillno not like '%v_%'  ESCAPE   'v'  and  Fbillno not like '%v-%' ESCAPE   'v'";

            int    totalCount; //输出参数
            string strJson = new ProjectBLL().GetJsonPager("ICMO", "FBillNo,FStatus,FQty,FCommitQty,FPlanCommitDate,FPlanFinishDate,FStartDate,FFinishDate,FType,FWorkShop,FItemID", sort + " " + order, pagesize, pageindex, strWhere, out totalCount);

            //var jsonResult = new { total = totalCount.ToString(), rows = strJson };
            return(Content("{\"total\": " + totalCount.ToString() + ",\"rows\":" + strJson + "}"));
        }
Exemplo n.º 14
0
        // <summary> Adds a new user to the database </summery>
        public void AddUser()
        {
            // Run model through sql injection prevention
            var fullName = SqlInjection.SafeSqlLiteral(Name);
            var username = SqlInjection.SafeSqlLiteral(StringManipulation.ToLowerFast(Username));
            var salt     = Crypt.GetRandomSalt();

            // TFA code
            var buffer = new byte[9];

            using (var rng = RandomNumberGenerator.Create())
            {
                rng.GetBytes(buffer);
            }

            // Generates a 10 character string of A-Z, a-z, 0-9 Don't need to worry about any =
            // padding from the Base64 encoding, since our input buffer is divisible by 3
            var secret = Convert.ToBase64String(buffer).Substring(0, 10).Replace('/', '0').Replace('+', '1');

            // MySql query
            const string insertStatement = "INSERT INTO users " +
                                           "(Name, Username, Password, Salt, Secret) " +
                                           "VALUES (?, ?, ?, ?, ?)";

            using (var empConnection = DatabaseConnection.DatabaseConnect())
            {
                using (var insertCommand = new MySqlCommand(insertStatement, empConnection))
                {
                    // Bind parameters
                    insertCommand.Parameters.Add("Name", MySqlDbType.VarChar).Value     = fullName;
                    insertCommand.Parameters.Add("Username", MySqlDbType.VarChar).Value = username;
                    insertCommand.Parameters.Add("Password", MySqlDbType.VarChar).Value = Crypt.HashPassword(Password,
                                                                                                             salt);
                    insertCommand.Parameters.Add("Salt", MySqlDbType.VarChar).Value   = salt;
                    insertCommand.Parameters.Add("Secret", MySqlDbType.VarChar).Value = secret;

                    try
                    {
                        DatabaseConnection.DatabaseOpen(empConnection);
                        // Execute command
                        insertCommand.ExecuteNonQuery();
                    }
                    catch (MySqlException)
                    {
                        // MySqlException bail out
                    }
                    finally
                    {
                        // Always close the connection
                        DatabaseConnection.DatabaseClose(empConnection);
                    }
                }
            }
            Done = true;
        }
Exemplo n.º 15
0
        public bool Login()
        {
            var email         = SqlInjection.SafeSqlLiteral(StringManipulation.ToLowerFast(Email));
            var password      = Password;
            var savedPassword = String.Empty;
            var savedSalt     = String.Empty;
            var savedId       = String.Empty;

            // MySQL query
            const string result = "SELECT id, password, salt, admin " +
                                  "FROM meok2_bibliotheek_gebruikers " +
                                  "WHERE email = ?";

            using (var empConnection = DatabaseConnection.DatabaseConnect())
            {
                using (var showresult = new MySqlCommand(result, empConnection))
                {
                    // Bind parameters
                    showresult.Parameters.Add("email", MySqlDbType.VarChar).Value = email;
                    try
                    {
                        DatabaseConnection.DatabaseOpen(empConnection);
                        // Execute command
                        using (var myDataReader = showresult.ExecuteReader(CommandBehavior.CloseConnection))
                        {
                            while (myDataReader.Read())
                            {
                                // Save the values
                                savedId       = myDataReader.GetValue(0).ToString();
                                savedPassword = myDataReader.GetString(1);
                                savedSalt     = myDataReader.GetString(2);
                                Admin         = Convert.ToInt16(myDataReader.GetValue(3));
                            }
                        }

                        // Hash the password and check if the hash is the same as the saved password
                        if (Crypt.ValidatePassword(password, savedPassword, savedSalt))
                        {
                            Cookies.MakeCookie(email, savedId, Admin.ToString(CultureInfo.InvariantCulture));
                            return(true);
                        }
                    }
                    catch (MySqlException)
                    {
                        // MySqlException bail out
                        return(false);
                    }
                    finally
                    {
                        DatabaseConnection.DatabaseClose(empConnection);
                    }
                }
            }
            return(false);
        }
Exemplo n.º 16
0
 public string MailCheck(string input)
 {
     // Validate email
     if (ValidateEmail.IsValidEmail(input))
     {
         return(RegisterModel.CheckMail(SqlInjection.SafeSqlLiteral(StringManipulation.ToLowerFast(input))) > 0
             ? "Deze email is al bezet"
             : "Deze email is nog niet bezet");
     }
     return("Dit is geen geldig email adres");
 }
Exemplo n.º 17
0
            public void Existing_WithoutValue_ReturningValue()
            {
                var value = new SqlInjection {
                    EntityType = typeof(SqlInjectionTest), Property = "foo", Sql = "select foo from dual"
                };

                _ = Configuration.GetOrSetSqlInjection(typeof(SqlInjectionTest), value);
                var result = Configuration.GetOrSetSqlInjection(typeof(SqlInjectionTest), null);

                result.Should().Be(value);
            }
Exemplo n.º 18
0
 public List <SystemRole> SelectAll(string name)
 {
     name = SqlInjection.Filter(name);
     if (string.IsNullOrEmpty(name))
     {
         return(systemRoleDao.SelectAll());
     }
     else
     {
         return(systemRoleDao.Select($"name like '%{name}%'", null));
     }
 }
Exemplo n.º 19
0
        /// <summary>
        /// 获取权限下的用户(分页)
        /// </summary>
        public string GetPagerRoleUser(int roleId, string order, int pageSize, int pageIndex)
        {
            if (SqlInjection.GetString(order))   //简单的sql注入过滤
            {
                order = "CreateTime asc";
            }
            int       totalCount = dal.GetRoleUserCount(roleId);
            DataTable dt         = dal.GetPagerRoleUser(roleId, order, pageSize, pageIndex);

            string strjson = JsonHelper.ToJson(dt);

            return("{\"total\": " + totalCount.ToString() + ",\"rows\":" + strjson + "}");
        }
Exemplo n.º 20
0
            public void NotExisting_WithValue_ReturningNull()
            {
                var value = new SqlInjection {
                    EntityType = typeof(SqlInjectionTest), Property = "foo", Sql = "select foo from dual"
                };
                var result = Configuration.GetOrSetSqlInjection(typeof(SqlInjectionTest), value);

                Assert.IsNotNull(result);
                Assert.AreSame(value, result);
                Assert.AreEqual("foo", value.Property);
                Assert.AreEqual("select foo from dual", value.Sql);
                Assert.AreEqual(value.EntityType, result.EntityType);
            }
Exemplo n.º 21
0
        // <summary>
        // Add book to the database
        // </summary>
        public bool AddBook()
        {
            // Run model through sql prevention and save them to vars
            var title     = SqlInjection.SafeSqlLiteral(Title);
            var author    = SqlInjection.SafeSqlLiteral(Author);
            var genre     = Genre;
            var isbn      = SqlInjection.SafeSqlLiteral(Isbn);
            var floor     = Floor;
            var rack      = Rack;
            var dateAdded = StringManipulation.DateTimeToMySql(DateTime.Now);

            // MySQL query Insert book in the database
            const string insertStatement = "INSERT INTO meok2_bibliotheek_boeken " +
                                           "(titel, auteur, genre, isbn, verdieping, rek, dateadded) " +
                                           "VALUES (?, ?, ?, ?, ?, ?, ?)";

            using (var empConnection = DatabaseConnection.DatabaseConnect())
            {
                using (var insertCommand = new MySqlCommand(insertStatement, empConnection))
                {
                    // Bind parameters
                    insertCommand.Parameters.Add("titel", MySqlDbType.VarChar).Value    = title;
                    insertCommand.Parameters.Add("auteur", MySqlDbType.VarChar).Value   = author;
                    insertCommand.Parameters.Add("genre", MySqlDbType.Int16).Value      = genre;
                    insertCommand.Parameters.Add("isbn", MySqlDbType.VarChar).Value     = isbn;
                    insertCommand.Parameters.Add("verdieping", MySqlDbType.Int16).Value = floor;
                    insertCommand.Parameters.Add("rek", MySqlDbType.Int16).Value        = rack;
                    insertCommand.Parameters.Add("dateadded", MySqlDbType.Date).Value   = dateAdded;

                    try
                    {
                        DatabaseConnection.DatabaseOpen(empConnection);
                        // Execute command
                        insertCommand.ExecuteNonQuery();

                        // Return
                        return(true);
                    }
                    catch (MySqlException)
                    {
                        // MySqlException bail out
                        return(false);
                    }
                    finally
                    {
                        // Make sure to close the connection
                        DatabaseConnection.DatabaseClose(empConnection);
                    }
                }
            }
        }
Exemplo n.º 22
0
        public DataTable GetZG(string key)
        {
            // 检查一下key是否含有不合法的字符串
            if (SqlInjection.GetString(key))
            {
                return(null);
            }

            if (machinesDal == null)
            {
                machinesDal = baseDal as IMachines;
            }
            return(machinesDal.GetZG(key));
        }
Exemplo n.º 23
0
        public ActionResult GetAllUserInfo()
        {
            string strWhere = "1=1";
            string sort     = Request["sort"] == null ? "ID" : Request["sort"];
            string order    = Request["order"] == null ? "asc" : Request["order"];

            //首先获取前台传递过来的参数
            int    pageindex    = Request["page"] == null ? 1 : Convert.ToInt32(Request["page"]);
            int    pagesize     = Request["rows"] == null ? 10 : Convert.ToInt32(Request["rows"]);
            string userid       = Request["accountid"] == null ? "" : Request["accountid"];
            string username     = Request["username"] == null ? "" : Request["username"];
            string isable       = Request["isable"] == null ? "" : Request["isable"];
            string ifchangepwd  = Request["ifchangepwd"] == null ? "" : Request["ifchangepwd"];
            string userperson   = Request["userperson"] == null ? "" : Request["userperson"];
            string adddatestart = Request["adddatestart"] == null ? "" : Request["adddatestart"];
            string adddateend   = Request["adddateend"] == null ? "" : Request["adddateend"];

            if (userid.Trim() != "" && !SqlInjection.GetString(userid))   //防止sql注入
            {
                strWhere += string.Format(" and AccountName like '%{0}%'", userid.Trim());
            }
            if (username.Trim() != "" && !SqlInjection.GetString(username))
            {
                strWhere += string.Format(" and RealName like '%{0}%'", username.Trim());
            }
            if (isable.Trim() != "select" && isable.Trim() != "")
            {
                strWhere += " and IsAble = '" + isable.Trim() + "'";
            }
            if (ifchangepwd.Trim() != "select" && ifchangepwd.Trim() != "")
            {
                strWhere += " and IfChangePwd = '" + ifchangepwd.Trim() + "'";
            }
            if (adddatestart.Trim() != "")
            {
                strWhere += " and CreateTime > '" + adddatestart.Trim() + "'";
            }
            if (adddateend.Trim() != "")
            {
                strWhere += " and CreateTime < '" + adddateend.Trim() + "'";
            }

            int    totalCount; //输出参数
            string strJson    = new UserBLL().GetPager("tbUser", "ID,AccountName,[Password],RealName,MobilePhone,Email,IsAble,IfChangePwd,[Description],CreateTime,CreateBy,UpdateTime,UpdateBy", sort + " " + order, pagesize, pageindex, strWhere, out totalCount);
            var    jsonResult = new { total = totalCount.ToString(), rows = strJson };

            return(Content("{\"total\": " + totalCount.ToString() + ",\"rows\":" + strJson + "}"));
        }
Exemplo n.º 24
0
        // <summary>
        // select book from the database
        // </summary>
        public static List <String> SelectBookById(String id)
        {
            // Initial vars
            var list = new List <String>();

            // MySQL query
            const string result = "SELECT titel, auteur, genre, isbn, verdieping, rek, amount " +
                                  "FROM meok2_bibliotheek_boeken " +
                                  "WHERE id = ?";

            using (var empConnection = DatabaseConnection.DatabaseConnect())
            {
                using (var showresult = new MySqlCommand(result, empConnection))
                {
                    // Bind parameters
                    showresult.Parameters.Add("id", MySqlDbType.VarChar).Value = SqlInjection.SafeSqlLiteral(id);
                    try
                    {
                        DatabaseConnection.DatabaseOpen(empConnection);
                        // Execute command
                        using (var myDataReader = showresult.ExecuteReader(CommandBehavior.CloseConnection))
                        {
                            while (myDataReader.Read())
                            {
                                // Save the values
                                list.Add(SqlInjection.SafeSqlLiteralRevert(myDataReader.GetString(0)));
                                list.Add(SqlInjection.SafeSqlLiteralRevert(myDataReader.GetString(1)));
                                list.Add(myDataReader.GetString(2));
                                list.Add(SqlInjection.SafeSqlLiteralRevert(myDataReader.GetString(3)));
                                list.Add(myDataReader.GetString(4));
                                list.Add(myDataReader.GetString(5));
                                list.Add(myDataReader.GetString(6));
                            }
                        }
                    }
                    catch (MySqlException)
                    {
                        // MySqlException bail out
                    }
                    finally
                    {
                        DatabaseConnection.DatabaseClose(empConnection);
                    }
                }
            }
            return(list);
        }
Exemplo n.º 25
0
        /// <summary>
        /// 获取部门下的用户(分页)
        /// </summary>
        public string GetPagerDepartmentUser(string departmentIds, string order, int pageSize, int pageIndex)
        {
            if (SqlInjection.GetString(departmentIds))   //简单sql防注入
            {
                departmentIds = "";
            }
            if (SqlInjection.GetString(order))
            {
                order = "CreateTime asc";
            }
            int       totalCount = dal.GetDepartmentUserCount(departmentIds);
            DataTable dt         = dal.GetPagerDepartmentUser(departmentIds, order, pageSize, pageIndex);

            string strjson = JsonHelper.ToJson(dt);

            return("{\"total\": " + totalCount.ToString() + ",\"rows\":" + strjson + "}");
        }
Exemplo n.º 26
0
        public ActionResult GetAllFieldsInfo()
        {
            string strWhere = "1=1";
            string sort     = Request["sort"] == null ? "Id" : Request["sort"];
            string order    = Request["order"] == null ? "asc" : Request["order"];

            if (!string.IsNullOrEmpty(Request["FieldName"]) && !SqlInjection.GetString(Request["FieldName"]))
            {
                strWhere += " and FieldName like '%" + Request["FieldName"] + "%'";
            }
            if (!string.IsNullOrEmpty(Request["FieldViewName"]) && !SqlInjection.GetString(Request["FieldViewName"]))
            {
                strWhere += " and FieldViewName like '%" + Request["FieldViewName"] + "%'";
            }
            if (!string.IsNullOrEmpty(Request["SelTabId"]))
            {
                strWhere += " and TabId = '" + Request["SelTabId"] + "'";
            }
            //首先获取前台传递过来的参数
            int    pageindex  = Request["page"] == null ? 1 : Convert.ToInt32(Request["page"]);
            int    pagesize   = Request["rows"] == null ? 10 : Convert.ToInt32(Request["rows"]);
            int    totalCount = 0;
            string strJson    = "";       //输出结果

            if (order.IndexOf(',') != -1) //如果有","就是多列排序(不能拿列判断,列名中间可能有","符号)
            {
                //多列排序:
                //sort:ParentId,Sort,AddDate
                //order:asc,desc,asc
                string   sortMulti  = "";              //拼接排序条件,例:TabId desc,Sort asc
                string[] sortArray  = sort.Split(','); //列名中间有","符号,这里也要出错。正常不会有
                string[] orderArray = order.Split(',');
                for (int i = 0; i < sortArray.Length; i++)
                {
                    sortMulti += sortArray[i] + " " + orderArray[i] + ",";
                }
                strJson = new FieldsBLL().GetPager("vw_Fields", "Id,TabId,FieldName,FieldViewName,FieldDataTypeId,IsActive,IsSearch,Sort,CreateTime,CreateBy,UpdateTime,UpdateBy,DataType,DataTypeName,TabName,TabViewName", sortMulti.Trim(','), pagesize, pageindex, strWhere, out totalCount);
            }
            else
            {
                strJson = new FieldsBLL().GetPager("vw_Fields", "Id,TabId,FieldName,FieldViewName,FieldDataTypeId,IsActive,IsSearch,Sort,CreateTime,CreateBy,UpdateTime,UpdateBy,DataType,DataTypeName,TabName,TabViewName", sort + " " + order, pagesize, pageindex, strWhere, out totalCount);
            }
            var jsonResult = new { total = totalCount.ToString(), rows = strJson };

            return(Content("{\"total\": " + totalCount.ToString() + ",\"rows\":" + strJson + "}"));
        }
Exemplo n.º 27
0
        public OrmLitePageResult <Ad> SelectList(string title, int?adTypeId, DateTime?start, DateTime?end,
                                                 int pageIndex, int pageSize)
        {
            StringBuilder sb = new StringBuilder();
            var           ps = DictBuilder.New();

            sb.Append("1=1");
            var orderBy = "id desc";

            title = SqlInjection.Filter(title);
            if (!string.IsNullOrEmpty(title))
            {
                sb.AppendFormat(" and Title like '%{0}%'", title);
            }

            if (adTypeId > 0)
            {
                orderBy = "OrderNum";
                sb.AppendFormat(" and TypeId={0}", adTypeId);
            }

            if (start.HasValue)
            {
                sb.AppendFormat(" and EndTime>@start");
                ps.EQ("start", start.Value);
            }

            if (end.HasValue)
            {
                sb.Append(" and EndTime<@end");
                ps.EQ("end", end.Value.AddDays(1));
            }


            var factor = new OrmLitePageFactor
            {
                Conditions = sb.ToString(),
                PageIndex  = pageIndex,
                PageSize   = pageSize,
                OrderBy    = orderBy,
                Params     = ps
            };

            return(_adDao.SelectPage(factor));
        }
Exemplo n.º 28
0
        public ActionResult GetAllRequestionTypeInfo()
        {
            string strWhere = "1=1";
            string sort     = Request["sort"] == null ? "id" : Request["sort"];
            string order    = Request["order"] == null ? "asc" : Request["order"];

            if (!string.IsNullOrEmpty(Request["FTypeName"]) && !SqlInjection.GetString(Request["FTypeName"]))
            {
                strWhere += " and ftypename like '%" + Request["FTypeName"] + "%'";
            }
            //首先获取前台传递过来的参数
            int    pageindex  = Request["page"] == null ? 1 : Convert.ToInt32(Request["page"]);
            int    pagesize   = Request["rows"] == null ? 10 : Convert.ToInt32(Request["rows"]);
            int    totalCount = 0; //输出参数
            string strJson    = new RequestionTypeBLL().GetPager("tbRequestionType", "[id],[ftypename],fsort,CreateTime,CreateBy,UpdateTime,UpdateBy", sort + " " + order, pagesize, pageindex, strWhere, out totalCount);

            return(Content("{\"total\": " + totalCount.ToString() + ",\"rows\":" + strJson + "}"));
        }
Exemplo n.º 29
0
        public ActionResult GetAllButtonInfo()
        {
            string strWhere = "1=1";
            string sort     = Request["sort"] == null ? "id" : Request["sort"];
            string order    = Request["order"] == null ? "asc" : Request["order"];

            if (!string.IsNullOrEmpty(Request["FButtonName"]) && !SqlInjection.GetString(Request["FButtonName"]))
            {
                strWhere += " and Name like '%" + Request["FButtonName"] + "%'";
            }
            //首先获取前台传递过来的参数
            int    pageindex  = Request["page"] == null ? 1 : Convert.ToInt32(Request["page"]);
            int    pagesize   = Request["rows"] == null ? 10 : Convert.ToInt32(Request["rows"]);
            int    totalCount = 0; //输出参数
            string strJson    = JsonHelper.ToJson(SqlPagerHelper.GetPager("tbButton", "Id,Name,Code,Icon,Sort,Description,CreateTime,CreateBy,UpdateTime,UpdateBy", sort + " " + order, pagesize, pageindex, strWhere, out totalCount));

            return(Content("{\"total\": " + totalCount.ToString() + ",\"rows\":" + strJson + "}"));
        }
Exemplo n.º 30
0
        public OrmLitePageResult <SystemRes> SelectList(string name, int pageIndex, int pageSize)
        {
            name = SqlInjection.Filter(name);
            var condition = "";

            if (!string.IsNullOrEmpty(name))
            {
                condition = " Name LIKE '%" + name + "%'";
            }

            return(SelectPage(new OrmLitePageFactor
            {
                Conditions = condition,
                OrderBy = "ID asc",
                PageIndex = pageIndex,
                PageSize = pageSize,
            }));
        }