2
I have in the application a code that validates the data entry, adjusting according to what is necessary, this would be considered a good or a bad option?
public static string ValidaDados(string str)
{
//Função simples para evitar ataques de injeção SQL
if (str == string.Empty || str == "")
return str;
string sValue = str;
//Valores a serem substituidos
sValue = sValue.Replace("'", "''");
sValue = sValue.Replace("--", " ");
sValue = sValue.Replace("/*", " ");
sValue = sValue.Replace("*/", " ");
sValue = sValue.Replace(" or ", "");
sValue = sValue.Replace(" and ", "");
sValue = sValue.Replace("update", "");
sValue = sValue.Replace("-shutdown", "");
sValue = sValue.Replace("--", "");
sValue = sValue.Replace("'or'1'='1'", "");
sValue = sValue.Replace("insert", "");
sValue = sValue.Replace("drop", "");
sValue = sValue.Replace("delete", "");
sValue = sValue.Replace("xp_", "");
sValue = sValue.Replace("sp_", "");
sValue = sValue.Replace("select", "");
sValue = sValue.Replace("1 union select", "");
//Retorna o valor com as devidas alterações
return sValue;
}
Example of use:
var tbuscar = new UsuarioAplicacao();
var retorno = tbuscar.ListarPorLoginSenha(ValidaDados(tabela.LOGIN), ValidaDados(tabela.SENHA));
Example of how it is today:
public TB_USUARIO ListarPorLoginSenha(string login, string senha)
{
var strQuery = "";
strQuery += " select ";
strQuery += " b.DESCRICAO as PERFIL, ";
strQuery += " b.ADMINISTRADOR as ADMINISTRADOR, ";
strQuery += " c.DATA_FIM as DATAFINALASSINATURA, ";
strQuery += " c.SITUACAOASSINATURA, ";
strQuery += " a.* ";
strQuery += " from TB_USUARIO a ";
strQuery += " inner join TB_PERFIL_ACESSO b on a.IDPERFIL = b.IDPERFIL ";
strQuery += " left join TB_ASSINATURA c on c.IDUSUARIO = a.IDUSUARIO ";
strQuery += string.Format(" where a.login = '{0}' and a.senha = '{1}' ", login, senha);
strQuery += " and a.USUARIOATIVO = 'S' and a.USUARIOEXCLUIDO = 'N' ";
strQuery += " ORDER BY a.IDUSUARIO";
using (contexto = new Contexto())
{
var retornoDataReader = contexto.ExecutaComandoComRetorno(strQuery);
return TransformaReaderEmListaObjetos(retornoDataReader).FirstOrDefault();
}
}
Uses any ORM
– Marco Vinicius Soares Dalalba
Are you using ADO.NET, EF or what? Do you know that these technologies take care of this if you do the right thing and you don’t need any of this? Do you have any reason to try to clean up like this?
– Maniero
Please specify when you use this, which
controller
, in whichmétodo
and why you’re using that, I believe there are better possibilities, but I lack a context for my opinion.– novic
Do not use ORM, use ADO.net, on a login screen I validated the data I am receiving with this code described in the question
– Harry
@itasouza you use Parameters ? if use has no need! a tip also if use do not start then now ... rsrsrs
– novic
@itasouza looks at how important it is to use Parameters:
Command objects use parameters to pass values to SQL statements or stored procedures, providing type checking and validation. Unlike command text, parameter input is treated as a literal value, not as executable code. This helps guard against "SQL injection" attacks, in which an attacker inserts a command that compromises security on the server into an SQL statement.
in the middle of the text in English has SQL Injection Attacs ... ie, it already does this.– novic
I added more information
– Harry
Have any answers solved what was in doubt? Do you need something else to be improved? Do you think it is possible to accept it now?
– Maniero