I have in the application a code that validates the data entry, adjusting according to what is needed, would this be considered a good or a bad option?
public static string ValidaDados(string str)
{
//Função simples para evitar ataques de injeção SQL
if (str == string.Empty || str == "")
return str;
string sValue = str;
//Valores a serem substituidos
sValue = sValue.Replace("'", "''");
sValue = sValue.Replace("--", " ");
sValue = sValue.Replace("/*", " ");
sValue = sValue.Replace("*/", " ");
sValue = sValue.Replace(" or ", "");
sValue = sValue.Replace(" and ", "");
sValue = sValue.Replace("update", "");
sValue = sValue.Replace("-shutdown", "");
sValue = sValue.Replace("--", "");
sValue = sValue.Replace("'or'1'='1'", "");
sValue = sValue.Replace("insert", "");
sValue = sValue.Replace("drop", "");
sValue = sValue.Replace("delete", "");
sValue = sValue.Replace("xp_", "");
sValue = sValue.Replace("sp_", "");
sValue = sValue.Replace("select", "");
sValue = sValue.Replace("1 union select", "");
//Retorna o valor com as devidas alterações
return sValue;
}
Example usage:
var tbuscar = new UsuarioAplicacao();
var retorno = tbuscar.ListarPorLoginSenha(ValidaDados(tabela.LOGIN), ValidaDados(tabela.SENHA));
Example of how you are today:
public TB_USUARIO ListarPorLoginSenha(string login, string senha)
{
var strQuery = "";
strQuery += " select ";
strQuery += " b.DESCRICAO as PERFIL, ";
strQuery += " b.ADMINISTRADOR as ADMINISTRADOR, ";
strQuery += " c.DATA_FIM as DATAFINALASSINATURA, ";
strQuery += " c.SITUACAOASSINATURA, ";
strQuery += " a.* ";
strQuery += " from TB_USUARIO a ";
strQuery += " inner join TB_PERFIL_ACESSO b on a.IDPERFIL = b.IDPERFIL ";
strQuery += " left join TB_ASSINATURA c on c.IDUSUARIO = a.IDUSUARIO ";
strQuery += string.Format(" where a.login = '{0}' and a.senha = '{1}' ", login, senha);
strQuery += " and a.USUARIOATIVO = 'S' and a.USUARIOEXCLUIDO = 'N' ";
strQuery += " ORDER BY a.IDUSUARIO";
using (contexto = new Contexto())
{
var retornoDataReader = contexto.ExecutaComandoComRetorno(strQuery);
return TransformaReaderEmListaObjetos(retornoDataReader).FirstOrDefault();
}
}