Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

replace list of string

Posted on 2013-01-29
5
Medium Priority
?
432 Views
Last Modified: 2013-01-31
what i'm trying to do is to replace the string being passed into database that contains these ReplaceStr("exec insert hello htere", "", "exec ", "delete ", "drop table", "select ", "alter ", "update ", "insert ", "create ", "shutdown ", "<script ", "</script >"). Unless there's better way to do this. please help. thanks

below is code i found in vb.net to replace a list of string.
Public Function ReplaceStr(ByVal BaseStr As String, ByVal ReplWith As String, ByVal ParamArray StrToReplace() As Object)
        Dim T As Object, I As Long, K As Long

        ' Convert whatever you can to string
        On Error Resume Next
        For K = LBound(StrToReplace) To UBound(StrToReplace)
            If Not ((VarType(StrToReplace(K)) And vbArray) = vbArray) And Not VarType(StrToReplace(K)) = vbString Then
                ' when it cannot convert, it will ignore the error, and leave the same value
                StrToReplace(K) = CStr(StrToReplace(K))
            End If
        Next K
        On Error GoTo 0

        ' Sort the array
        For K = LBound(StrToReplace) To UBound(StrToReplace)
            For I = K + 1 To UBound(StrToReplace)
                If VarType(StrToReplace(K)) = vbString And VarType(StrToReplace(I)) = vbString Then
                    If Len(StrToReplace(K)) < Len(StrToReplace(I)) Then

                        ' SWAP VALUES
                        T = StrToReplace(K)
                        StrToReplace(K) = StrToReplace(I)
                        StrToReplace(I) = T
                    End If
                End If
            Next I
        Next K

        ' Replace
        For I = 0 To UBound(StrToReplace)
            If VarType(StrToReplace(I)) = vbString Then
                BaseStr = Replace(BaseStr, StrToReplace(I), ReplWith)
            ElseIf VarType(StrToReplace(I)) = vbArray + vbString Then

                ' If input is a String Array, loop through and replace those too
                For K = LBound(StrToReplace(I)) To UBound(StrToReplace(I))
                    BaseStr = Replace(BaseStr, StrToReplace(I)(K), ReplWith)
                Next K
            End If
        Next I

        ReplaceStr = BaseStr
    End Function

Open in new window


then i tried to convert this to c# but getting into an error where it coudln't find Information or Constants.
 public object ReplaceStr(string BaseStr, string ReplWith, string[] StrToReplace)
     {
         object T = null;
         long I = 0;
         long K = 0;

         // Convert whatever you can to string
         // ERROR: Not supported in C#: OnErrorStatement

         for (K = Information.LBound(StrToReplace); K <= Information.UBound(StrToReplace); K++)
         {
             if (!((Information.VarType(StrToReplace[K]) & Constants.vbArray) == Constants.vbArray) & !(Information.VarType(StrToReplace[K]) == Constants.vbString))
             {
                 // when it cannot convert, it will ignore the error, and leave the same value
                 StrToReplace[K] = Convert.ToString(StrToReplace[K]);
             }
         }
         // ERROR: Not supported in C#: OnErrorStatement


         // Sort the array
         for (K = Information.LBound(StrToReplace); K <= Information.UBound(StrToReplace); K++)
         {
             for (I = K + 1; I <= Information.UBound(StrToReplace); I++)
             {
                 if (Information.VarType(StrToReplace[K]) == Constants.vbString & Information.VarType(StrToReplace(I)) == Constants.vbString)
                 {

                     if (Strings.Len(StrToReplace[K]) < Strings.Len(StrToReplace(I)))
                     {
                         // SWAP VALUES
                         T = StrToReplace[K];
                         StrToReplace[K] = StrToReplace(I);
                         StrToReplace(I) = T;
                     }
                 }
             }
         }

         // Replace
         for (I = 0; I <= Information.UBound(StrToReplace); I++)
         {
             if (Information.VarType(StrToReplace(I)) == Constants.vbString)
             {
                 BaseStr = Strings.Replace(BaseStr, StrToReplace(I), ReplWith);

             }
             else if (Information.VarType(StrToReplace(I)) == Constants.vbArray + Constants.vbString)
             {
                 // If input is a String Array, loop through and replace those too
                 for (K = Information.LBound(StrToReplace(I)); K <= Information.UBound(StrToReplace(I)); K++)
                 {
                     BaseStr = Strings.Replace(BaseStr, StrToReplace(I)(K), ReplWith);
                 }
             }
         }

         return BaseStr;
     }

Open in new window

0
Comment
Question by:StewSupport
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 48

Assisted Solution

by:jpaulino
jpaulino earned 1000 total points
ID: 38834218
If you use parameters or an ORM like Entity Framework, you don't need to worry about SQL Injection.

For HTML tags you can use an HTML Sanitizer like http://htmlagilitypack.codeplex.com/ or http://www.microsoft.com/en-us/download/details.aspx?id=28589

i don't advice you to use your own cleaner.
0
 
LVL 15

Accepted Solution

by:
angus_young_acdc earned 1000 total points
ID: 38834803
Whilst not recommended there is a slightly easier way than the VB code you've found.

            string[] listOfIllegalStrings = new string[] {"All", "Your", "Strings", "To", "Check", "For"};

            string whateverTheStringIsYouWantToCheck = "";

            foreach (string item in listOfIllegalStrings)
            {
                if (whateverTheStringIsYouWantToCheck.Contains(item))
                {
                    whateverTheStringIsYouWantToCheck = whateverTheStringIsYouWantToCheck.Replace(item, "WhateverYouWantToReplaceWith");
                }
            }

Open in new window

0
 

Author Comment

by:StewSupport
ID: 38835830
do i need to install this antixss from microsoft on the web server?
0
 

Author Comment

by:StewSupport
ID: 38835917
i don't know if i should use the microsoft one lol. it has really bad review from codeplex site
0
 
LVL 48

Expert Comment

by:jpaulino
ID: 38835930
I like htmlagilitypack
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction Hi all and welcome to my first article on Experts Exchange. A while ago, someone asked me if i could do some tutorials on object oriented programming. I decided to do them on C#. Now you may ask me, why's that? Well, one of the re…
Entity Framework is a powerful tool to help you interact with the DataBase but still doesn't help much when we have a Stored Procedure that returns more than one resultset. The solution takes some of out-of-the-box thinking; read on!
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question