I am writing this code to protect my server from SQL injection. The goal is to insert the [BloCKiT] in front of whatever is matched. Please don’t split the word using by space because it will not work with this case. For example “s=290′;DECLARE%”. This would cause an error.
Please see the comment within the code and thank you.
The code below is written under c#.
string MyOutPut = "";
string PatternAnywhereFromWord = "declare|exec|insert|update|delete|varchar|cast";//search any within the word CASE-INSENTIVE. This is the regular expression
string AttachmeMe = "[BloCKiT]";//Insert this string into the statement
//find patterns case-insensitive anywhere within the statement and attach the AttachmeMe variable in front of the matched position
string InputStatment = "delete s=290';DECLARE%20@S%20NVARCHAR(4000) ;insert into update all xdelete * from database exec";
//some logic here. I plan to write some loop but i think i would perform pretty slow
MyOutPut = "YOUR LOGIC HERE";
//The result should be [BloCKiT]delete s=290';[BloCKiT]DECLARE%20@S%20NVARCHAR(4000) ;[BloCKiT]insert into [BloCKiT]update all x[BloCKiT]delete * from database [BloCKiT]exec
Microsoft have a guidelines page for how to avoid SQL Injection Attacks. You should never have to manually parse your sql strings, or generate sql strings manually. As this is prone to errors and makes your solutions rigid and difficult to maintain.