c# - How to use Linq instead of SQL Injection query for custom search -

-

i use linq instead of below hardcoded sql injection search sqlserver database tables. how retrieve dynamically generated web controls input texts in c# linq , replace entire sql injection in linq searching.

my c# code:

protected void search_button_click(object sender, eventargs e)  {     try       {          table maintable = select.findcontrol("dynamic_filter_table_id") table;        int rc = maintable.rows.count;             if (rc == 1)             {                  dropdownlist d1 = maintable.findcontrol("mainddl") dropdownlist;                 if (d1.selectedvalue.contains("decimal"))                 {                     textbox t1 = maintable.findcontrol("txtbox1") textbox;                     textbox t2 = maintable.findcontrol("txtbox2") textbox;                     sqldataadapter sql = new sqldataadapter("select f.col1,f.col2,v.col1, col2,col3, col4 , col5, cl6 table1 v , tabl2 f v.col1 = f.col1 , " + ddl1.selecteditem.text + " >= " + t1.text + " , " + ddl1.selecteditem.text + " <= " + t2.text, con);                      dataset data = new dataset();                     sql.fill(data);                     con.close();                     session["dataforsearch_ddl"] = data.tables[0];                 }             }        }      catch     {       impropersearch();     } }

why don't rewrite query sql-injection safe? linq won't give benefit.

you can achieve doing 2 things.

the first secure column names. accomplished specifying characters allowed column names (more secure trying figure out characters not allowed). in case remove letters , digits. if have column names contains underscore, add check.

the next thing use parameterized queries. each ado.net driver has built in support that, have specify value using cmd.parameters.addwithvalue. doing value isn't part of query string , hence there no potential sql injection.

using (var con = yourconnectionfactory.create()) {     using (var cmd = new sqlcommand(con))     {         var safekey1 = onlylettersanddigits(ddl1.selecteditem.text);         var safekey2 = onlylettersanddigits(ddl2.selecteditem.text);          cmd.commandtext = "select f.col1,f.col2,v.col1, col2,col3, col4 , col5, cl6 " +                                " table1 v , tabl2 f v.col1 = f.col1 " +                               " , " + safekey1 + " >= @text1 " +                                " , " + safekey2 + " <= @text2 ";             cmd.parameters.addwithvalue("text1", t1.text);             cmd.parameters.addwithvalue("text2", t2.text);              var adapter = new sqldataadapter(cmd);              var data = new dataset();             sql.fill(data);             session["dataforsearch_ddl"] = data.tables[0];     } }  public string onlylettersanddigits(string value) {     var stripped = "";     foreach (var ch in value)     {         if (char.isletterordigit(ch))             stripped += ch;     }      return stripped; }

Comments

Post a Comment

Popular posts from this blog

c++ - OpenCV Error: Assertion failed <scn == 3 ::scn == 4> in unknown function, -

-
i read alot other solution still confused should mine... #include <opencv2/objdetect/objdetect.hpp> #include <opencv2/highgui/highgui.hpp> #include <opencv2/imgproc/imgproc.hpp> #include <iostream> #include <stdio.h> using namespace std; using namespace cv; int main(int argc, const char** argv) { //create cascade classifier object used face detection cascadeclassifier face_cascade; //use haarcascade_frontalface_alt.xml library face_cascade.load("haarcascade_frontalface_alt.xml"); //setup video capture device , link first capture device videocapture capturedevice; capturedevice.open(0); //setup image files used in capture process mat captureframe; mat grayscaleframe; //create window present results namedwindow("outputcapture", 1); //create loop capture , find faces while (true) { //capture new image frame capturedevice >> captureframe; ...
Read more

php - render data via PDO::FETCH_FUNC vs loop -

-
i've been using 2 methods render data. the first one: function name($id,$name){ return '<div id="'.$id.'">'.$name.'</div>'; } echo implode($pdo->query("select id,name user")->fetchall(pdo::fetch_func,'name')); the second one: $users = $pdo->query("select id,name user")->fetchall(pdo::fetch_obj); foreach($users $user){ echo name($user->id,$user->name); } i don't understand how pdo::fetch_func works. tried figure out. however, not well-documented. could please explain fetch mode? , also, 1 performs better? thank you. both methods wrong , have learn how use templates , how separate business logic presentation logic. $users = $pdo->query("select id,name user")->fetchall(pdo::fetch_obj); tpl::assign('users', $users); is code business logic part. then in template <?php foreach $users $row): ?> <div id="<?=$...
Read more

The canvas has been tainted by cross-origin data in chrome only -

-
uncaught securityerror: failed execute 'getimagedata' on 'canvasrenderingcontext2d': canvas has been tainted cross-origin data i getting above error in chrome. code(following) works fine in mozilla. have not corss domain issue. why above error in chrome? var wheel_canvas, wheel_context, can_w, can_h, wheel_grd; var large_radius = 160; var small_radius = 120; var wheel_canvas = document.getelementbyid('wheel_canvas'); var wheel_context = wheel_canvas.getcontext('2d'); var can_w = $(wheel_canvas).width(); var can_h = $(wheel_canvas).height(); var centerx = can_w / 2, centery = can_h / 2; var wheel_grd = null; test('#ff0000'); function test(hex) { $('#clrpicker').css({'left': 210, 'top': 210 }); inverted = hexbw(hex); $('#color_val_show').val(hex); current_color_hex_val_selected = hex; $('#color_val_show').css({'color':inverted,'background':hex}); fillgradient...
Read more