c# - Preventing Injection Attacks with Excel Export -


i have posted code below excel exporting class (most of anyway). issue incurring export not safe when comes injection attacks. able mask initial command parameters, however, when passed parameterized command export(string) method, loses values set within parameters; passes literal string (i.e. select * table column_name = @parameter1). trying figure out way prevent code being unsafe. need functionality. has been fine in past because of desired audience of applications, cannot use specific code considering customer facing , more less open public use. :/ suggestions of how can achieve goal?

public static void export(string crossoverstatement = "select * table") {     // @@parameters     //     // crossoverstatement string :     //     string representation of procedure executed obtain desired crossover query results.      //create our database connection excel reference , workbook/worksheet using export data     string odbcconnection = "server info";      application xls = new application();     xls.sheetsinnewworkbook = 1;     // create our new excel application , add our workbooks/worksheets     workbook workbook = xls.workbooks.add();     worksheet crossoverpartsworksheet = xls.worksheets[1];     // hide our excel object if it's visible.     xls.visible = false;     // turn off screen updating our export process more quickly.     xls.screenupdating = false;      crossoverpartsworksheet.name = "crossover";     if (crossoverstatement != string.empty)     {         crossoverpartsworksheet.select();         var xlsheet = crossoverpartsworksheet.listobjects.addex(sourcetype: xllistobjectsourcetype.xlsrcexternal,                                                                 source: odbcconnection,                                                                 destination: xls.range["$a$1"]).querytable;         xlsheet.commandtext = crossoverstatement;         xlsheet.rownumbers = false;         xlsheet.filladjacentformulas = false;         xlsheet.preservecolumninfo = true;         xlsheet.preserveformatting = true;         xlsheet.refreshonfileopen = false;         xlsheet.backgroundquery = false;         xlsheet.savepassword = false;         xlsheet.adjustcolumnwidth = true;         xlsheet.refreshperiod = 0;         xlsheet.refreshstyle = xlcellinsertionmode.xlinsertentirerows;         xlsheet.refresh(false);         xlsheet.listobject.showautofilter = false;         xlsheet.listobject.tablestyle = "tablestylemedium16";         // unlink our table server , convert range.         xlsheet.listobject.unlink();         // freeze our column headers.         xls.application.rows["2:2"].select();         xls.activewindow.freezepanes = true;         xls.activewindow.displaygridlines = false;         // autofit our rows , columns.         xls.application.cells.entirecolumn.autofit();         xls.application.cells.entirerow.autofit();         // select first cell in worksheet.         xls.application.range["$a$2"].select();         // turn off alerts prevent asking 'overwrite existing' , 'save changes' messages.         xls.displayalerts = false;     }      // make our excel application visible     xls.visible = true;      // release our resources.     marshal.releasecomobject(workbook);     marshal.releasecomobject(crossoverpartsworksheet);     marshal.releasecomobject(xls); }

here best way complete request come with. perform parameterized query , pass resulting data table can use when calling export(datatable).

problem resolved.

public static void export(system.data.datatable crossoverdatatable) {     // @@parameters     //     // crossoverdatatable datatable :     //     data table containing information exported our excel application.     //     requested way circumvent sql injection opposed initial overload accepting string .commandtext.      application xls = new application();     xls.sheetsinnewworkbook = 1;      // create our new excel application , add our workbooks/worksheets     workbook workbook = xls.workbooks.add();     worksheet crossoverpartsworksheet = xls.worksheets[1];      // hide our excel object if it's visible.     xls.visible = false;      // turn off screen updating our export process more quickly.     xls.screenupdating = false;      // turn off calculations if set automatic; can prevent memory leaks.     xls.calculation = xls.calculation == xlcalculation.xlcalculationautomatic ? xlcalculation.xlcalculationmanual : xlcalculation.xlcalculationmanual;      // create excel table , fill our query table.     crossoverpartsworksheet.name = "crossover data";     crossoverpartsworksheet.select();     {          // create row our column headers.         (int column = 0; column < crossoverdatatable.columns.count; column++)         {             crossoverpartsworksheet.cells[1, column + 1] = crossoverdatatable.columns[column].columnname;         }          // export our datatable information excel.         (int row = 0; row < crossoverdatatable.rows.count; row++)         {             (int column = 0; column < crossoverdatatable.columns.count; column++)             {                 crossoverpartsworksheet.cells[row + 2, column + 1] = (crossoverdatatable.rows[row][column].tostring());             }         }     }      // freeze our column headers.     xls.application.rows["2:2"].select();     xls.activewindow.freezepanes = true;     xls.activewindow.displaygridlines = false;      // autofit our rows , columns.     xls.application.cells.entirecolumn.autofit();     xls.application.cells.entirerow.autofit();      // select first cell in worksheet.     xls.application.range["$a$2"].select();      // turn off alerts prevent asking 'overwrite existing' , 'save changes' messages.     xls.displayalerts = false;      // ******************************************************************************************************************     // section commented out can enabled later have excel sheets show on screen after creation.     // ******************************************************************************************************************     // make our excel application visible     xls.visible = true;      // turn screen updating on     xls.screenupdating = true;      // turn automatic calulation on     xls.calculation = xlcalculation.xlcalculationautomatic;      // release our resources.     marshal.releasecomobject(workbook);     marshal.releasecomobject(crossoverpartsworksheet);     marshal.releasecomobject(xls); }

Comments

Post a Comment

Popular posts from this blog

html - How to style widget with post count different than without post count -

i have border below li elements in wordpress widget types appropriate. element inside set block gives them nice easy click full width. the problem, when choose option "show post count" when adding widget such categories or archives displays post count plain text after tag , because tag block pushes post number text line below. whether choose show post count or not show post count still gives exact same element identifyer example "widget_categories". how style post count not on next line still keep links non post count list items full width? here's example on sidebar www.bbmthemes.com/themes/modular/blog-standard/ in order solve problem need remove display:block; for ul.widgets ul a , add in it's place line-height: 33px; what going achieve have same visual effect. what going lose doing links going work on text , not on "box". the other way out of find post count coming , make changes this. example change text count i
Read more

How to remove text and logo OR add Overflow on Android ActionBar using AppCompat on API 8? -

have researched death , cannot find answer. i have actionbar using appcompat. supporting api v7 (api v8 do). actionbar works api v11. api < v11 has problem of removing icon (and feature) actionbar without supplying overflow. big picture have app logo, app title, , 3 icons squidging same actionbar on low end phone. trying make room! i happy 1 of 2 solutions. either: a method of getting overflow functionality can retrieved pull down. (preferred) method of removing icon , text actionbar below current xml api 11+: <resources> <!-- base application theme api 11+. theme replaces appbasetheme res/values/styles.xml on api 11+ devices. --> <style name="appbasetheme" parent="theme.appcompat.light.darkactionbar"> <item name="android:actionbarstyle">@style/liteactionbarstyle</item> <item name="actionbarstyle">@style/liteactionbarstyle</item> </st
Read more

javascript - storing input from prompt in array and displaying the array -

i want take the inputs user prompt, store input in array, , display it. want take 10 inputs user using for loop. have tried do-while shown below. var givennames = new array(); var pattern = /[\w\d]{1,}/ig; do{ var name = prompt("enter names. letters , digits accepted!\nentering empty field stops asking",""); if(name && name.match(pattern)){givennames.push(name);} } while(name != ""); function displaynames(){ if(givennames.length > 0){ document.getelementbyid("list").innerhtml = "<span style='color:navy;font- weight:bold;'>given names are:<\/span><br><br>" + givennames.join("<br><br>"); } else { document.getelementbyid("list").innerhtml = "<span style='color:navy;font-weight:bold;'>nothing has been given!<\/span>"; } } how replace for loop? var givennames = new array();
Read more