replace list of string

what i'm trying to do is to replace the string being passed into database that contains these ReplaceStr("exec insert hello htere", "", "exec ", "delete ", "drop table", "select ", "alter ", "update ", "insert ", "create ", "shutdown ", "<script ", "</script >"). Unless there's better way to do this. please help. thanks

below is code i found in vb.net to replace a list of string.
Public Function ReplaceStr(ByVal BaseStr As String, ByVal ReplWith As String, ByVal ParamArray StrToReplace() As Object)
        Dim T As Object, I As Long, K As Long

        ' Convert whatever you can to string
        On Error Resume Next
        For K = LBound(StrToReplace) To UBound(StrToReplace)
            If Not ((VarType(StrToReplace(K)) And vbArray) = vbArray) And Not VarType(StrToReplace(K)) = vbString Then
                ' when it cannot convert, it will ignore the error, and leave the same value
                StrToReplace(K) = CStr(StrToReplace(K))
            End If
        Next K
        On Error GoTo 0

        ' Sort the array
        For K = LBound(StrToReplace) To UBound(StrToReplace)
            For I = K + 1 To UBound(StrToReplace)
                If VarType(StrToReplace(K)) = vbString And VarType(StrToReplace(I)) = vbString Then
                    If Len(StrToReplace(K)) < Len(StrToReplace(I)) Then

                        ' SWAP VALUES
                        T = StrToReplace(K)
                        StrToReplace(K) = StrToReplace(I)
                        StrToReplace(I) = T
                    End If
                End If
            Next I
        Next K

        ' Replace
        For I = 0 To UBound(StrToReplace)
            If VarType(StrToReplace(I)) = vbString Then
                BaseStr = Replace(BaseStr, StrToReplace(I), ReplWith)
            ElseIf VarType(StrToReplace(I)) = vbArray + vbString Then

                ' If input is a String Array, loop through and replace those too
                For K = LBound(StrToReplace(I)) To UBound(StrToReplace(I))
                    BaseStr = Replace(BaseStr, StrToReplace(I)(K), ReplWith)
                Next K
            End If
        Next I

        ReplaceStr = BaseStr
    End Function

Open in new window


then i tried to convert this to c# but getting into an error where it coudln't find Information or Constants.
 public object ReplaceStr(string BaseStr, string ReplWith, string[] StrToReplace)
     {
         object T = null;
         long I = 0;
         long K = 0;

         // Convert whatever you can to string
         // ERROR: Not supported in C#: OnErrorStatement

         for (K = Information.LBound(StrToReplace); K <= Information.UBound(StrToReplace); K++)
         {
             if (!((Information.VarType(StrToReplace[K]) & Constants.vbArray) == Constants.vbArray) & !(Information.VarType(StrToReplace[K]) == Constants.vbString))
             {
                 // when it cannot convert, it will ignore the error, and leave the same value
                 StrToReplace[K] = Convert.ToString(StrToReplace[K]);
             }
         }
         // ERROR: Not supported in C#: OnErrorStatement


         // Sort the array
         for (K = Information.LBound(StrToReplace); K <= Information.UBound(StrToReplace); K++)
         {
             for (I = K + 1; I <= Information.UBound(StrToReplace); I++)
             {
                 if (Information.VarType(StrToReplace[K]) == Constants.vbString & Information.VarType(StrToReplace(I)) == Constants.vbString)
                 {

                     if (Strings.Len(StrToReplace[K]) < Strings.Len(StrToReplace(I)))
                     {
                         // SWAP VALUES
                         T = StrToReplace[K];
                         StrToReplace[K] = StrToReplace(I);
                         StrToReplace(I) = T;
                     }
                 }
             }
         }

         // Replace
         for (I = 0; I <= Information.UBound(StrToReplace); I++)
         {
             if (Information.VarType(StrToReplace(I)) == Constants.vbString)
             {
                 BaseStr = Strings.Replace(BaseStr, StrToReplace(I), ReplWith);

             }
             else if (Information.VarType(StrToReplace(I)) == Constants.vbArray + Constants.vbString)
             {
                 // If input is a String Array, loop through and replace those too
                 for (K = Information.LBound(StrToReplace(I)); K <= Information.UBound(StrToReplace(I)); K++)
                 {
                     BaseStr = Strings.Replace(BaseStr, StrToReplace(I)(K), ReplWith);
                 }
             }
         }

         return BaseStr;
     }

Open in new window

StewSupportAsked:
Who is Participating?
 
angus_young_acdcConnect With a Mentor Commented:
Whilst not recommended there is a slightly easier way than the VB code you've found.

            string[] listOfIllegalStrings = new string[] {"All", "Your", "Strings", "To", "Check", "For"};

            string whateverTheStringIsYouWantToCheck = "";

            foreach (string item in listOfIllegalStrings)
            {
                if (whateverTheStringIsYouWantToCheck.Contains(item))
                {
                    whateverTheStringIsYouWantToCheck = whateverTheStringIsYouWantToCheck.Replace(item, "WhateverYouWantToReplaceWith");
                }
            }

Open in new window

0
 
Jorge PaulinoConnect With a Mentor IT Pro/DeveloperCommented:
If you use parameters or an ORM like Entity Framework, you don't need to worry about SQL Injection.

For HTML tags you can use an HTML Sanitizer like http://htmlagilitypack.codeplex.com/ or http://www.microsoft.com/en-us/download/details.aspx?id=28589

i don't advice you to use your own cleaner.
0
 
StewSupportAuthor Commented:
do i need to install this antixss from microsoft on the web server?
0
 
StewSupportAuthor Commented:
i don't know if i should use the microsoft one lol. it has really bad review from codeplex site
0
 
Jorge PaulinoIT Pro/DeveloperCommented:
I like htmlagilitypack
0
All Courses

From novice to tech pro — start learning today.