/// <summary>
/// OWASP TOP 10 - A1 - Geen SQL injection door het gebruik van parameters en een whitelist
/// </summary>
/// <param name="user"></param>
public static string addSession(String user,String clientip)
{
var positiveIntRegex = new Regex(@"^\w+$");
if (!positiveIntRegex.IsMatch(user))
{
return null;
}
string constr = Settings.Default.UserDbConnectionString;
SqlConnection con = new SqlConnection(constr);
SqlCommand command = new SqlCommand();
command.Connection = con;
command.CommandText = "SELECT UserType FROM Users Where Name = @UserName";
command.CommandType = CommandType.Text;
command.Parameters.AddWithValue(@"UserName",user);
con.Open();
string type = "";
if (command.ExecuteScalar() != null)
type = command.ExecuteScalar().ToString();
con.Close();
Session s = new Session(generateSessionId(),type,user,clientip);
sessionList.Add(s);
return s.SessionId;
}
/// <summary>
/// Dat pro code
/// </summary>
/// <param name="sessionId">the session id from the cookie</param>
public static void deleteSession(Session s)
{
sessionList.RemoveAll(x => x.Equals(s));
}