Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

replace list of string

Posted on 2013-01-29
5
Medium Priority
?
435 Views
Last Modified: 2013-01-31
what i'm trying to do is to replace the string being passed into database that contains these ReplaceStr("exec insert hello htere", "", "exec ", "delete ", "drop table", "select ", "alter ", "update ", "insert ", "create ", "shutdown ", "<script ", "</script >"). Unless there's better way to do this. please help. thanks

below is code i found in vb.net to replace a list of string.
Public Function ReplaceStr(ByVal BaseStr As String, ByVal ReplWith As String, ByVal ParamArray StrToReplace() As Object)
        Dim T As Object, I As Long, K As Long

        ' Convert whatever you can to string
        On Error Resume Next
        For K = LBound(StrToReplace) To UBound(StrToReplace)
            If Not ((VarType(StrToReplace(K)) And vbArray) = vbArray) And Not VarType(StrToReplace(K)) = vbString Then
                ' when it cannot convert, it will ignore the error, and leave the same value
                StrToReplace(K) = CStr(StrToReplace(K))
            End If
        Next K
        On Error GoTo 0

        ' Sort the array
        For K = LBound(StrToReplace) To UBound(StrToReplace)
            For I = K + 1 To UBound(StrToReplace)
                If VarType(StrToReplace(K)) = vbString And VarType(StrToReplace(I)) = vbString Then
                    If Len(StrToReplace(K)) < Len(StrToReplace(I)) Then

                        ' SWAP VALUES
                        T = StrToReplace(K)
                        StrToReplace(K) = StrToReplace(I)
                        StrToReplace(I) = T
                    End If
                End If
            Next I
        Next K

        ' Replace
        For I = 0 To UBound(StrToReplace)
            If VarType(StrToReplace(I)) = vbString Then
                BaseStr = Replace(BaseStr, StrToReplace(I), ReplWith)
            ElseIf VarType(StrToReplace(I)) = vbArray + vbString Then

                ' If input is a String Array, loop through and replace those too
                For K = LBound(StrToReplace(I)) To UBound(StrToReplace(I))
                    BaseStr = Replace(BaseStr, StrToReplace(I)(K), ReplWith)
                Next K
            End If
        Next I

        ReplaceStr = BaseStr
    End Function

Open in new window


then i tried to convert this to c# but getting into an error where it coudln't find Information or Constants.
 public object ReplaceStr(string BaseStr, string ReplWith, string[] StrToReplace)
     {
         object T = null;
         long I = 0;
         long K = 0;

         // Convert whatever you can to string
         // ERROR: Not supported in C#: OnErrorStatement

         for (K = Information.LBound(StrToReplace); K <= Information.UBound(StrToReplace); K++)
         {
             if (!((Information.VarType(StrToReplace[K]) & Constants.vbArray) == Constants.vbArray) & !(Information.VarType(StrToReplace[K]) == Constants.vbString))
             {
                 // when it cannot convert, it will ignore the error, and leave the same value
                 StrToReplace[K] = Convert.ToString(StrToReplace[K]);
             }
         }
         // ERROR: Not supported in C#: OnErrorStatement


         // Sort the array
         for (K = Information.LBound(StrToReplace); K <= Information.UBound(StrToReplace); K++)
         {
             for (I = K + 1; I <= Information.UBound(StrToReplace); I++)
             {
                 if (Information.VarType(StrToReplace[K]) == Constants.vbString & Information.VarType(StrToReplace(I)) == Constants.vbString)
                 {

                     if (Strings.Len(StrToReplace[K]) < Strings.Len(StrToReplace(I)))
                     {
                         // SWAP VALUES
                         T = StrToReplace[K];
                         StrToReplace[K] = StrToReplace(I);
                         StrToReplace(I) = T;
                     }
                 }
             }
         }

         // Replace
         for (I = 0; I <= Information.UBound(StrToReplace); I++)
         {
             if (Information.VarType(StrToReplace(I)) == Constants.vbString)
             {
                 BaseStr = Strings.Replace(BaseStr, StrToReplace(I), ReplWith);

             }
             else if (Information.VarType(StrToReplace(I)) == Constants.vbArray + Constants.vbString)
             {
                 // If input is a String Array, loop through and replace those too
                 for (K = Information.LBound(StrToReplace(I)); K <= Information.UBound(StrToReplace(I)); K++)
                 {
                     BaseStr = Strings.Replace(BaseStr, StrToReplace(I)(K), ReplWith);
                 }
             }
         }

         return BaseStr;
     }

Open in new window

0
Comment
Question by:StewSupport
  • 2
  • 2
5 Comments
 
LVL 48

Assisted Solution

by:jpaulino
jpaulino earned 1000 total points
ID: 38834218
If you use parameters or an ORM like Entity Framework, you don't need to worry about SQL Injection.

For HTML tags you can use an HTML Sanitizer like http://htmlagilitypack.codeplex.com/ or http://www.microsoft.com/en-us/download/details.aspx?id=28589

i don't advice you to use your own cleaner.
0
 
LVL 15

Accepted Solution

by:
angus_young_acdc earned 1000 total points
ID: 38834803
Whilst not recommended there is a slightly easier way than the VB code you've found.

            string[] listOfIllegalStrings = new string[] {"All", "Your", "Strings", "To", "Check", "For"};

            string whateverTheStringIsYouWantToCheck = "";

            foreach (string item in listOfIllegalStrings)
            {
                if (whateverTheStringIsYouWantToCheck.Contains(item))
                {
                    whateverTheStringIsYouWantToCheck = whateverTheStringIsYouWantToCheck.Replace(item, "WhateverYouWantToReplaceWith");
                }
            }

Open in new window

0
 

Author Comment

by:StewSupport
ID: 38835830
do i need to install this antixss from microsoft on the web server?
0
 

Author Comment

by:StewSupport
ID: 38835917
i don't know if i should use the microsoft one lol. it has really bad review from codeplex site
0
 
LVL 48

Expert Comment

by:jpaulino
ID: 38835930
I like htmlagilitypack
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Entity Framework is a powerful tool to help you interact with the DataBase but still doesn't help much when we have a Stored Procedure that returns more than one resultset. The solution takes some of out-of-the-box thinking; read on!
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question