1

I am working in maintenance for one ASP.net + c# [.net version 3.5] application. Requirement is, through out the application whatever string variable passed to the DAL layer must be checked for some specified words and symbols.

In this case I have to go on each method and then each string parameter to check specific words and symbol and this will take a lot of time. So I am thinking one approach which I don't know possible or not like

Whenever request made to call any method of DAL layer class from BLL layer, common method which defined under DAL layer must be call automatically with all arguments which were passing to actual DAL method (This common method I supposed to resisted on constructor of DAL). In common method I supposed to check all string parameters and change their value if required and then after returning from this method actual method will call with changed value.

Please suggest me any other approach if this is not possible which has minimum effort.

Neeraj Kumar Gupta
  • 2,157
  • 7
  • 30
  • 58
  • Do you have actual working code in progress? what have you tried or what do you have thus far..? and why do you need to change values and then pass back changed values.. please show an example of who what when how and why.. it will help others to understand what you are trying to accomplish – MethodMan Mar 13 '13 at 14:56
  • I have application source code and supposed to implement my approach but I am not getting how I register my common method which automatically call whenever request made for any method for that class. Other work around I thought to visit on each method and check each string parameter. – Neeraj Kumar Gupta Mar 13 '13 at 15:00

2 Answers2

2

You could use one of the AOP Fameworks to inject code in your DAL methods. Postsharp would be one of the better.

Ralf
  • 1,216
  • 10
  • 20
2

The only way you are going to achieve such functionality is by using some Aspect Oriented Programming library such as discussed here: What is the best implementation for AOP in .Net?

It does sound like you need to verify that the user is not trying to create a SQL injection. First of all, any well designed application will not even create the possibility for SQL injection so such validation is not needed. If it is needed by some other requirement (to log such attempts), you would do that at the HTTP Request level instead. You can create a IHttpModule (or just write the code in global.asax that would review all values in Request object and see if any contains the bad words etc.

protected void Application_PostAuthorizeRequest(object sender, EventArgs e)
{
    var collection = this.Context.Request.Params;
    foreach (var key in collection.Keys)
    {
        if (ContainsBadWords(collection[key]))
            Log("Request key " + key + " contains bad words: " + collection[key]);
    }
}
Community
  • 1
  • 1
Knaģis
  • 20,827
  • 7
  • 66
  • 80