-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathProgram.cs
85 lines (81 loc) · 3.01 KB
/
Program.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
using System;
#if NETCOREAPP
using Microsoft.Data.SqlClient;
#else
using System.Data.SqlClient;
#endif
class Program
{
private static string _connectionString = "Data Source=(local);Initial Catalog=Northwind;Integrated Security=true";
static void Main()
{
string userEnteredValue = "O'Malley";
PreferredUsageExample(userEnteredValue);
//What if you have code up the call stack that is dynamically building SQL?
DynamicSQLInCodeExampleUsage("ProductName like " + userEnteredValue.FormatStringForSQL());
}
#region An Example of the preferred way to format SQL - using a parameter - to prevent SQL Injection
//https://docs.microsoft.com/en-us/dotnet/framework/data/adonet/ado-net-code-examples
private static void PreferredUsageExample(string searchValueProvidedByUser)
{
string queryString = "SELECT ProductID, UnitPrice, ProductName from dbo.products "
+ "WHERE ProductName like @ProductName";
using (SqlConnection connection = new SqlConnection(_connectionString))
{
SqlCommand command = new SqlCommand(queryString, connection);
//This is the ideal approach - to use "Parameters" to handle the SQL Injection Risk
command.Parameters.AddWithValue("@ProductName", searchValueProvidedByUser);
try
{
connection.Open();
SqlDataReader reader = command.ExecuteReader();
#region Not Relevant To the Topics Discussed in this Article/Repo
while (reader.Read())
{
Console.WriteLine("\t{0}\t{1}\t{2}", reader[0], reader[1], reader[2]);
}
reader.Close();
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
Console.ReadLine();
#endregion
}
}
#endregion
private static void DynamicSQLInCodeExampleUsage(string searchValueProvidedByUser)
{
//Here we use a custom Extension method to add the single quotes. This is superior
//to directly adding single quotes because it allows you to change the way you format strings
//for SQL if a time ever comes where that is needed. It also allows you to scan the code
//for '" or "' or '{ or '} to identify places that are not following your guideline to use your FormatSQL method
string queryString = "SELECT ProductID, UnitPrice, ProductName from dbo.products "
+ "WHERE ProductName like " + searchValueProvidedByUser.FormatStringForSQL();
using (SqlConnection connection = new SqlConnection(_connectionString))
{
SqlCommand command = new SqlCommand(queryString, connection);
try
{
connection.Open();
SqlDataReader reader = command.ExecuteSafeReader(); //Call our Decorator-Proxy method
if (reader != null) //If the SQL has a SQL Injection risk, I have the ExecuteSafeReader return a null
#region Not Relevant To the Topics Discussed in this Article/Repo
{
while (reader.Read())
{
Console.WriteLine("\t{0}\t{1}\t{2}", reader[0], reader[1], reader[2]);
}
reader.Close();
}
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
Console.ReadLine();
#endregion
}
}
}