Solved

replace list of string

Posted on 2013-01-29
5
430 Views
Last Modified: 2013-01-31
what i'm trying to do is to replace the string being passed into database that contains these ReplaceStr("exec insert hello htere", "", "exec ", "delete ", "drop table", "select ", "alter ", "update ", "insert ", "create ", "shutdown ", "<script ", "</script >"). Unless there's better way to do this. please help. thanks

below is code i found in vb.net to replace a list of string.
Public Function ReplaceStr(ByVal BaseStr As String, ByVal ReplWith As String, ByVal ParamArray StrToReplace() As Object)
        Dim T As Object, I As Long, K As Long

        ' Convert whatever you can to string
        On Error Resume Next
        For K = LBound(StrToReplace) To UBound(StrToReplace)
            If Not ((VarType(StrToReplace(K)) And vbArray) = vbArray) And Not VarType(StrToReplace(K)) = vbString Then
                ' when it cannot convert, it will ignore the error, and leave the same value
                StrToReplace(K) = CStr(StrToReplace(K))
            End If
        Next K
        On Error GoTo 0

        ' Sort the array
        For K = LBound(StrToReplace) To UBound(StrToReplace)
            For I = K + 1 To UBound(StrToReplace)
                If VarType(StrToReplace(K)) = vbString And VarType(StrToReplace(I)) = vbString Then
                    If Len(StrToReplace(K)) < Len(StrToReplace(I)) Then

                        ' SWAP VALUES
                        T = StrToReplace(K)
                        StrToReplace(K) = StrToReplace(I)
                        StrToReplace(I) = T
                    End If
                End If
            Next I
        Next K

        ' Replace
        For I = 0 To UBound(StrToReplace)
            If VarType(StrToReplace(I)) = vbString Then
                BaseStr = Replace(BaseStr, StrToReplace(I), ReplWith)
            ElseIf VarType(StrToReplace(I)) = vbArray + vbString Then

                ' If input is a String Array, loop through and replace those too
                For K = LBound(StrToReplace(I)) To UBound(StrToReplace(I))
                    BaseStr = Replace(BaseStr, StrToReplace(I)(K), ReplWith)
                Next K
            End If
        Next I

        ReplaceStr = BaseStr
    End Function

Open in new window


then i tried to convert this to c# but getting into an error where it coudln't find Information or Constants.
 public object ReplaceStr(string BaseStr, string ReplWith, string[] StrToReplace)
     {
         object T = null;
         long I = 0;
         long K = 0;

         // Convert whatever you can to string
         // ERROR: Not supported in C#: OnErrorStatement

         for (K = Information.LBound(StrToReplace); K <= Information.UBound(StrToReplace); K++)
         {
             if (!((Information.VarType(StrToReplace[K]) & Constants.vbArray) == Constants.vbArray) & !(Information.VarType(StrToReplace[K]) == Constants.vbString))
             {
                 // when it cannot convert, it will ignore the error, and leave the same value
                 StrToReplace[K] = Convert.ToString(StrToReplace[K]);
             }
         }
         // ERROR: Not supported in C#: OnErrorStatement


         // Sort the array
         for (K = Information.LBound(StrToReplace); K <= Information.UBound(StrToReplace); K++)
         {
             for (I = K + 1; I <= Information.UBound(StrToReplace); I++)
             {
                 if (Information.VarType(StrToReplace[K]) == Constants.vbString & Information.VarType(StrToReplace(I)) == Constants.vbString)
                 {

                     if (Strings.Len(StrToReplace[K]) < Strings.Len(StrToReplace(I)))
                     {
                         // SWAP VALUES
                         T = StrToReplace[K];
                         StrToReplace[K] = StrToReplace(I);
                         StrToReplace(I) = T;
                     }
                 }
             }
         }

         // Replace
         for (I = 0; I <= Information.UBound(StrToReplace); I++)
         {
             if (Information.VarType(StrToReplace(I)) == Constants.vbString)
             {
                 BaseStr = Strings.Replace(BaseStr, StrToReplace(I), ReplWith);

             }
             else if (Information.VarType(StrToReplace(I)) == Constants.vbArray + Constants.vbString)
             {
                 // If input is a String Array, loop through and replace those too
                 for (K = Information.LBound(StrToReplace(I)); K <= Information.UBound(StrToReplace(I)); K++)
                 {
                     BaseStr = Strings.Replace(BaseStr, StrToReplace(I)(K), ReplWith);
                 }
             }
         }

         return BaseStr;
     }

Open in new window

0
Comment
Question by:StewSupport
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 48

Assisted Solution

by:jpaulino
jpaulino earned 250 total points
ID: 38834218
If you use parameters or an ORM like Entity Framework, you don't need to worry about SQL Injection.

For HTML tags you can use an HTML Sanitizer like http://htmlagilitypack.codeplex.com/ or http://www.microsoft.com/en-us/download/details.aspx?id=28589

i don't advice you to use your own cleaner.
0
 
LVL 15

Accepted Solution

by:
angus_young_acdc earned 250 total points
ID: 38834803
Whilst not recommended there is a slightly easier way than the VB code you've found.

            string[] listOfIllegalStrings = new string[] {"All", "Your", "Strings", "To", "Check", "For"};

            string whateverTheStringIsYouWantToCheck = "";

            foreach (string item in listOfIllegalStrings)
            {
                if (whateverTheStringIsYouWantToCheck.Contains(item))
                {
                    whateverTheStringIsYouWantToCheck = whateverTheStringIsYouWantToCheck.Replace(item, "WhateverYouWantToReplaceWith");
                }
            }

Open in new window

0
 

Author Comment

by:StewSupport
ID: 38835830
do i need to install this antixss from microsoft on the web server?
0
 

Author Comment

by:StewSupport
ID: 38835917
i don't know if i should use the microsoft one lol. it has really bad review from codeplex site
0
 
LVL 48

Expert Comment

by:jpaulino
ID: 38835930
I like htmlagilitypack
0

Featured Post

SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction Although it is an old technology, serial ports are still being used by many hardware manufacturers. If you develop applications in C#, Microsoft .NET framework has SerialPort class to communicate with the serial ports.  I needed to…
Calculating holidays and working days is a function that is often needed yet it is not one found within the Framework. This article presents one approach to building a working-day calculator for use in .NET.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question