dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
WebGoat/src/main/resources/lessons/sqlinjection/documentation/SqlInjection_content11.adoc
Àngel Ollé Blázquez b93c935d6c Renamed to sqlinjection
2022-07-31 22:39:21 +02:00

23 lines
807 B
Plaintext
Raw Blame History

== Parameterized Queries - .NET
-------------------------------------------------------
public static bool isUsernameValid(string username) {
RegEx r = new Regex("^[A-Za-z0-9]{16}$");
Return r.isMatch(username);
}
// SqlConnection conn is set and opened elsewhere for brevity.
try {
string selectString = "SELECT * FROM user_table WHERE username = @userID";
SqlCommand cmd = new SqlCommand( selectString, conn );
if ( isUsernameValid( uid ) ) {
cmd.Parameters.Add( "@userID", SqlDbType.VarChar, 16 ).Value = uid;
SqlDataReader myReader = cmd.ExecuteReader();
if ( myReader ) {
// make the user record active in some way.
myReader.Close();
}
} else { // handle invalid input }
}
catch (Exception e) { // Handle all exceptions... }
-------------------------------------------------------
Reference in New Issue View Git Blame Copy Permalink