forked from microsoft/bobsql
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathProgram.cs
115 lines (94 loc) · 3.18 KB
/
Program.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
using System;
using System.Text;
using System.Data;
using Microsoft.Data.SqlClient;
using System.Configuration;
namespace SQLSecurity
{
public class Program
{
static public void Main(string[] args)
{
// Setup a string to hold error messages
StringBuilder errorMessages = new StringBuilder();
// Read the connection string from the app.config file
string connString;
ConnectionStringSettings settings = ConfigurationManager.ConnectionStrings["ConsoleAppConnection"];
connString = settings.ConnectionString;
// Connect to the server
using (var connection = new SqlConnection(connString))
{
try
{
connection.Open();
Console.WriteLine("Connected successfully.");
Program.ExecuteQuery(connection);
Console.WriteLine("Press any key to finish...");
Console.ReadKey(true);
}
catch (SqlException ex)
{
for (int i = 0; i < ex.Errors.Count; i++)
{
errorMessages.Append("Index #" + i + "\n" +
"Message: " + ex.Errors[i].Message + "\n" +
"LineNumber: " + ex.Errors[i].LineNumber + "\n" +
"Source: " + ex.Errors[i].Source + "\n" +
"Procedure: " + ex.Errors[i].Procedure + "\n");
}
Console.WriteLine(errorMessages.ToString());
}
}
}
static public void ExecuteQuery(SqlConnection connection)
{
using (var command = new SqlCommand())
{
command.Connection = connection;
command.CommandType = CommandType.Text;
command.CommandText = @"SELECT @@SPID";
SqlDataReader reader = command.ExecuteReader();
Console.WriteLine("SessionID = ");
while (reader.Read())
{
Console.WriteLine("{0}", reader.GetInt16(0));
}
reader.Close();
}
// Here is an example of how not to construct a query based on user input
// This is very suspectible to SQL Injections
using (var command = new SqlCommand())
{
Console.WriteLine("Input SalesOrderNumber: ");
string SalesOrderNumber = Console.ReadLine();
command.Connection = connection;
command.CommandType = CommandType.Text;
command.CommandText = @"SELECT PurchaseOrderNumber from SalesLT.SalesOrderHeader2 WHERE SalesOrderNumber = '" + SalesOrderNumber + "'";
SqlDataReader reader = command.ExecuteReader();
while (reader.Read())
{
Console.WriteLine("{0}", reader.GetString(0));
}
reader.Close();
}
// Let's use parameters to avoid the injection
//
/* using (var command = new SqlCommand())
{
Console.WriteLine("Input SalesOrderNumber: ");
string SalesOrderNumber = Console.ReadLine();
command.Connection = connection;
command.CommandType = CommandType.Text;
command.CommandText = @"SELECT PurchaseOrderNumber from SalesLT.SalesOrderHeader2 WHERE SalesOrderNumber = @SalesOrderNumber";
command.Parameters.Add("@SalesOrderNumber", System.Data.SqlDbType.NVarChar, 25);
command.Parameters["@SalesOrderNumber"].Value = SalesOrderNumber;
SqlDataReader reader = command.ExecuteReader();
while (reader.Read())
{
Console.WriteLine("{0}", reader.GetString(0));
}
reader.Close();
} */
}
}
}