SQL Injection in Windows Forms Application

Sreejesh SP
May 27, 2013

14.2k
0
0
- facebook
- twitter
- linkedIn
- Reddit
- WhatsApp
- Email
- Bookmark

This blog defines SQL Injection in Windows Forms Application.

using System;

using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Windows.Forms;
using System.Data;
using System.Data.SqlClient;
using Microsoft.Data.Schema.ScriptDom;
using Microsoft.Data.Schema.ScriptDom.Sql;
using System.IO;

namespace WindowsFormsApplication1
{
    public partial class Form1 : Form
    {
        public Form1()
        {
            InitializeComponent();
        }

SqlConnection con = new SqlConnection(@"connectionstring");

        SqlCommand cmd = new SqlCommand();
        private void Form1_Load(object sender, EventArgs e)
        {
            DataTable dt = new System.Data.DataTable();
            cmd.Connection = con;
            cmd.CommandText = "select LastName,FirstName,Title,City from dbo.Employees";
            SqlDataAdapter da = new SqlDataAdapter(cmd);
            da.Fill(dt);
            dtgsearchitem.DataSource = dt;
        }

private void btnsearch_Click(object sender, EventArgs e)

{

bool result = validatextbox();

if (result == true)
{

String str = txtsearchitem.Text.Replace("--", " ");
str = str.Replace("/*", " ");

                str = str.Replace("*/", " ");
                str = str.Replace("XP_", " ");
                str = str.Trim().Replace("'", "''");

DataTable dt = new System.Data.DataTable();

                cmd.Parameters.Clear();
                cmd.CommandText = "searchwindowselect";
                cmd.CommandType = CommandType.StoredProcedure;
                SqlParameter param1 = new SqlParameter("@SEARCHITEM", SqlDbType.VarChar, 100);
                param1.Value = str;
                cmd.Parameters.Add(param1);

SqlParameter param2 = new SqlParameter("@CONDTION", SqlDbType.VarChar, 20);

                param2.Value = cmbCondition.Text.Trim();
                cmd.Parameters.Add(param2);
                SqlParameter param3 = new SqlParameter("@SEARCHCONDITION", SqlDbType.VarChar, 20);
                param3.Value = cmbsearchcondion.Text.Trim();
                cmd.Parameters.Add(param3);

SqlDataAdapter da = new SqlDataAdapter(cmd);

                da.Fill(dt);
                dtgsearchitem.DataSource = dt;
            }
            else
            {
                MessageBox.Show("Invalid search item");
            }
        }
        private String removeUnknownCharecter(String str)
        {
            string[] words = str.Split('-');
            str.Replace("-", " ");
            str.Replace("-", " ");
            return str;
        }

private bool validatextbox()

{

int f = 1;

            String str = txtsearchitem.Text;
            string[] words = str.Split(';');
            foreach (string word in words)
            {
                string sql = word;
                var p = new TSql100Parser(true);
                IList<ParseError> errors;
                p.ParseStatementList(new StringReader(sql), out errors);
                if (errors.Count == 0)
                {
                    f = 0;
                    break;
                }
            }
            if (f == 0)
            {
                return false;
            }
            else
            {
                return true;
            }
        }
    }
}