Solved

replace list of string

Posted on 2013-01-29
5
421 Views
Last Modified: 2013-01-31
what i'm trying to do is to replace the string being passed into database that contains these ReplaceStr("exec insert hello htere", "", "exec ", "delete ", "drop table", "select ", "alter ", "update ", "insert ", "create ", "shutdown ", "<script ", "</script >"). Unless there's better way to do this. please help. thanks

below is code i found in vb.net to replace a list of string.
Public Function ReplaceStr(ByVal BaseStr As String, ByVal ReplWith As String, ByVal ParamArray StrToReplace() As Object)
        Dim T As Object, I As Long, K As Long

        ' Convert whatever you can to string
        On Error Resume Next
        For K = LBound(StrToReplace) To UBound(StrToReplace)
            If Not ((VarType(StrToReplace(K)) And vbArray) = vbArray) And Not VarType(StrToReplace(K)) = vbString Then
                ' when it cannot convert, it will ignore the error, and leave the same value
                StrToReplace(K) = CStr(StrToReplace(K))
            End If
        Next K
        On Error GoTo 0

        ' Sort the array
        For K = LBound(StrToReplace) To UBound(StrToReplace)
            For I = K + 1 To UBound(StrToReplace)
                If VarType(StrToReplace(K)) = vbString And VarType(StrToReplace(I)) = vbString Then
                    If Len(StrToReplace(K)) < Len(StrToReplace(I)) Then

                        ' SWAP VALUES
                        T = StrToReplace(K)
                        StrToReplace(K) = StrToReplace(I)
                        StrToReplace(I) = T
                    End If
                End If
            Next I
        Next K

        ' Replace
        For I = 0 To UBound(StrToReplace)
            If VarType(StrToReplace(I)) = vbString Then
                BaseStr = Replace(BaseStr, StrToReplace(I), ReplWith)
            ElseIf VarType(StrToReplace(I)) = vbArray + vbString Then

                ' If input is a String Array, loop through and replace those too
                For K = LBound(StrToReplace(I)) To UBound(StrToReplace(I))
                    BaseStr = Replace(BaseStr, StrToReplace(I)(K), ReplWith)
                Next K
            End If
        Next I

        ReplaceStr = BaseStr
    End Function

Open in new window


then i tried to convert this to c# but getting into an error where it coudln't find Information or Constants.
 public object ReplaceStr(string BaseStr, string ReplWith, string[] StrToReplace)
     {
         object T = null;
         long I = 0;
         long K = 0;

         // Convert whatever you can to string
         // ERROR: Not supported in C#: OnErrorStatement

         for (K = Information.LBound(StrToReplace); K <= Information.UBound(StrToReplace); K++)
         {
             if (!((Information.VarType(StrToReplace[K]) & Constants.vbArray) == Constants.vbArray) & !(Information.VarType(StrToReplace[K]) == Constants.vbString))
             {
                 // when it cannot convert, it will ignore the error, and leave the same value
                 StrToReplace[K] = Convert.ToString(StrToReplace[K]);
             }
         }
         // ERROR: Not supported in C#: OnErrorStatement


         // Sort the array
         for (K = Information.LBound(StrToReplace); K <= Information.UBound(StrToReplace); K++)
         {
             for (I = K + 1; I <= Information.UBound(StrToReplace); I++)
             {
                 if (Information.VarType(StrToReplace[K]) == Constants.vbString & Information.VarType(StrToReplace(I)) == Constants.vbString)
                 {

                     if (Strings.Len(StrToReplace[K]) < Strings.Len(StrToReplace(I)))
                     {
                         // SWAP VALUES
                         T = StrToReplace[K];
                         StrToReplace[K] = StrToReplace(I);
                         StrToReplace(I) = T;
                     }
                 }
             }
         }

         // Replace
         for (I = 0; I <= Information.UBound(StrToReplace); I++)
         {
             if (Information.VarType(StrToReplace(I)) == Constants.vbString)
             {
                 BaseStr = Strings.Replace(BaseStr, StrToReplace(I), ReplWith);

             }
             else if (Information.VarType(StrToReplace(I)) == Constants.vbArray + Constants.vbString)
             {
                 // If input is a String Array, loop through and replace those too
                 for (K = Information.LBound(StrToReplace(I)); K <= Information.UBound(StrToReplace(I)); K++)
                 {
                     BaseStr = Strings.Replace(BaseStr, StrToReplace(I)(K), ReplWith);
                 }
             }
         }

         return BaseStr;
     }

Open in new window

0
Comment
Question by:StewSupport
  • 2
  • 2
5 Comments
 
LVL 48

Assisted Solution

by:jpaulino
jpaulino earned 250 total points
Comment Utility
If you use parameters or an ORM like Entity Framework, you don't need to worry about SQL Injection.

For HTML tags you can use an HTML Sanitizer like http://htmlagilitypack.codeplex.com/ or http://www.microsoft.com/en-us/download/details.aspx?id=28589

i don't advice you to use your own cleaner.
0
 
LVL 15

Accepted Solution

by:
angus_young_acdc earned 250 total points
Comment Utility
Whilst not recommended there is a slightly easier way than the VB code you've found.

            string[] listOfIllegalStrings = new string[] {"All", "Your", "Strings", "To", "Check", "For"};

            string whateverTheStringIsYouWantToCheck = "";

            foreach (string item in listOfIllegalStrings)
            {
                if (whateverTheStringIsYouWantToCheck.Contains(item))
                {
                    whateverTheStringIsYouWantToCheck = whateverTheStringIsYouWantToCheck.Replace(item, "WhateverYouWantToReplaceWith");
                }
            }

Open in new window

0
 

Author Comment

by:StewSupport
Comment Utility
do i need to install this antixss from microsoft on the web server?
0
 

Author Comment

by:StewSupport
Comment Utility
i don't know if i should use the microsoft one lol. it has really bad review from codeplex site
0
 
LVL 48

Expert Comment

by:jpaulino
Comment Utility
I like htmlagilitypack
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Entity Framework is a powerful tool to help you interact with the DataBase but still doesn't help much when we have a Stored Procedure that returns more than one resultset. The solution takes some of out-of-the-box thinking; read on!
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now