protected override void beforeWriteNodeLogic(bool Creating, bool OverrideUniqueValidation) { if (CswSqlAnalysis.doesSqlContainDmlOrDdl(SQL.Text)) { throw (new CswDniException("Invalid sql: " + SQL.Text)); } }//beforeWriteNode()
public void DoesSqlContainDmlOrDdlTest() { string[] ValidSql = { "select * from nodes", "select count(*) from jct_nodes_props", "select * from (select nodetypeid from nodetypes)", "select * from nodes where pendingupdate = '1'" }; string[] InvalidSql = { "truncate table nodes", "alter user nbt identified by nbt account unlock", "delete from object_class_props where objectclassid > 1", "update table nodes set nodename = 'node'", "lock(nodes)" }; foreach (string StringToValidate in ValidSql) { Assert.IsFalse(CswSqlAnalysis.doesSqlContainDmlOrDdl(StringToValidate), "The following SQL was incorrectly considered invalid:\n\n" + StringToValidate + "\n"); } foreach (string StringToValidate in InvalidSql) { Assert.IsTrue(CswSqlAnalysis.doesSqlContainDmlOrDdl(StringToValidate), "The following SQL was incorrectly considered valid:\n\n" + StringToValidate + "\n"); } }
/// <summary> /// Extract report parameters for a report /// </summary> /// <param name="UserNode">Use this user for matching parameter values</param> /// <param name="SourceNode">Use this node for matching parameter values</param> /// <returns></returns> public Dictionary <string, string> ExtractReportParams(CswNbtObjClassUser UserNode = null, CswNbtNode SourceNode = null) { Dictionary <string, string> reportParams = new Dictionary <string, string>(); MatchCollection matchedParams = null; if (false == string.IsNullOrEmpty(WebService.Text)) { matchedParams = Regex.Matches(WebService.Text, @"\{([\s\w0-9])+\}"); } else if (false == string.IsNullOrEmpty(SQL.Text)) { matchedParams = Regex.Matches(SQL.Text, @"\{([\s\w0-9])+\}"); } foreach (Match match in matchedParams) { string paramName = match.Value.Replace('{', ' ').Replace('}', ' ').Trim(); //remove the '{' and '}' and whitespace string replacementVal = ""; if (null != UserNode) { if (paramName == ControlledParams.UserId || paramName == ControlledParams.NodeId) { replacementVal = UserNode.Node.NodeId.PrimaryKey.ToString(); } else if (paramName == ControlledParams.RoleId) { replacementVal = UserNode.RoleId.PrimaryKey.ToString(); } else { CswNbtMetaDataNodeTypeProp userNTP = UserNode.NodeType.getNodeTypeProp(paramName); if (null != userNTP) { replacementVal = UserNode.Node.Properties[userNTP].Gestalt; } } } // if( null != UserNode ) if (null != SourceNode) { CswNbtMetaDataNodeTypeProp sourceNTP = SourceNode.getNodeType().getNodeTypeProp(paramName); if (null != sourceNTP) { replacementVal = SourceNode.Properties[sourceNTP].Gestalt; } } if (false == string.IsNullOrEmpty(SQL.Text)) { if (CswSqlAnalysis.doesSqlContainDmlOrDdl(replacementVal)) { throw (new CswDniException("Parameter contains sql: " + paramName)); } } if (false == reportParams.ContainsKey(paramName)) { reportParams.Add(paramName, replacementVal); } } return(reportParams); }