search

ssteenkiste / nettiers

Automatically exported from code.google.com/p/nettiers
1 stars 0 forks source link

Utility.cs in DataAccessLayer, SqlInjection --> DetectSqlInjection(string whereClause) returns always true #89

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Run DetectSqlInjection with any whereClause
2.
3.

What is the expected output? What do you see instead?
True or False

What version of .netTiers and CodeSmith are you using?
Latest version

Please provide any additional information below.
Remove last "|" from regSystemThreats

Replace

private static readonly System.Text.RegularExpressions.Regex 
regSystemThreats =  new System.Text.RegularExpressions.Regex(@"\s?;\s?|\s?
drop\s|\s?grant\s|^'|\s?--|\s?union\s|\s?delete\s|\s?truncate\s|\s?
sysobjects\s?|\s?xp_.*?|\s?syslogins\s?|\s?sysremote\s?|\s?sysusers\s?|\s?
sysxlogins\s?|\s?sysdatabases\s?|\s?aspnet_.*?|\s?exec\s?|", 
System.Text.RegularExpressions.RegexOptions.Compiled | 
System.Text.RegularExpressions.RegexOptions.IgnoreCase); 

With

private static readonly System.Text.RegularExpressions.Regex 
regSystemThreats =  new System.Text.RegularExpressions.Regex(@"\s?;\s?|\s?
drop\s|\s?grant\s|^'|\s?--|\s?union\s|\s?delete\s|\s?truncate\s|\s?
sysobjects\s?|\s?xp_.*?|\s?syslogins\s?|\s?sysremote\s?|\s?sysusers\s?|\s?
sysxlogins\s?|\s?sysdatabases\s?|\s?aspnet_.*?|\s?exec\s?", 
System.Text.RegularExpressions.RegexOptions.Compiled | 
System.Text.RegularExpressions.RegexOptions.IgnoreCase);

Original issue reported on code.google.com by fred.the...@gmail.com on 13 Aug 2008 at 6:52

GoogleCodeExporter commented 9 years ago

Original comment by jmhin...@gmail.com on 6 Oct 2008 at 1:56

GoogleCodeExporter commented 9 years ago

Original comment by jmhin...@gmail.com on 6 Oct 2008 at 6:17

GoogleCodeExporter commented 9 years ago 
Fixed in rev v2.3.0.764

Original comment by jmhin...@gmail.com on 7 Oct 2008 at 3:58