|
| 1 | +Class User.SQLInjection |
| 2 | +{ |
| 3 | + |
| 4 | +// Some simple functions to sanitize different parts of a query |
| 5 | + |
| 6 | +/// Scrubs a string of harmful characters, and any extra characters we pass |
| 7 | +ClassMethod SQLiHandlerValue(pQueryString, pOptional As %String = "") As %String |
| 8 | +{ |
| 9 | +set pQueryString = $replace(pQueryString,"SELECT","ILLEGALVALUE") |
| 10 | +set pQueryString = $replace(pQueryString,"select","ILLEGALVALUE") |
| 11 | +// Removes anything that isn't a letter, number, whitespace |
| 12 | +return $zstrip(pQueryString,"*E'A'N'W",,pOptional) |
| 13 | +} |
| 14 | + |
| 15 | +/// Scrubs a string of everything but numerical characters, and any extra characters we pass |
| 16 | +ClassMethod SQLiHandlerNumber(pQueryString, pOptional As %String = "") As %String |
| 17 | +{ |
| 18 | +// Removes anything that isn't a number |
| 19 | +return $zstrip(pQueryString,"*E'N",,pOptional) |
| 20 | +} |
| 21 | + |
| 22 | +/// Takes in a field name and checks it in a table of safe values. Helpful if the user needs rights to the field but only when we want |
| 23 | +ClassMethod SQLiHandlerKey(pQueryString) As %String |
| 24 | +{ |
| 25 | +set acceptableList = ["some","fieldname"] |
| 26 | +set iter = acceptableList.%GetIterator() |
| 27 | +set outputKey = "ILLEGALVALUE" |
| 28 | +while iter.%GetNext(.key, .value) { |
| 29 | +if pQueryString = value set outputKey = value |
| 30 | +} |
| 31 | +return outputKey |
| 32 | +} |
| 33 | + |
| 34 | +} |
0 commit comments