TSql100Parser
[Test]
public void Test20211117_001()
{
var query = "<columns><column name=\"GiftID\" header=\"GiftID\" type=\"asc\"></column><column name=\"GiftName\" header=\"\" type=\"asc\"></column></columns>";
//CheckSQLQuery(query, QueryScopeEnum.OrderBy);
query = "test';WAITFOR DELAY '0:0:5'--";
CheckSQLQuery(query,QueryScopeEnum.Where);
}
private void CheckSQLQuery(string query, QueryScopeEnum scope)
{
if (string.IsNullOrEmpty(query))
{
return;
}
string completeQuery = GetCompleteQuery(query, scope);
if (!string.IsNullOrEmpty(completeQuery))
{
TSql100Parser tsqlParser = new TSql100Parser(true);
IList<ParseError> errors;
var fragments = tsqlParser.Parse(new StringReader(completeQuery), out errors);
var sqlScript = fragments as TSqlScript;
var valid = (errors.Count == 0)
&& (sqlScript != null)
&& (sqlScript.Batches.Count == 1)
&& (sqlScript.Batches[0].Statements.Count == 1)
&& (sqlScript.Batches[0].Statements[0] is SelectStatement);
if (!valid)
{
Console.WriteLine("invalid");
}
}
}
private static string GetCompleteQuery(string query, QueryScopeEnum scope)
{
string completeQuery;
switch (scope)
{
case QueryScopeEnum.Columns:
completeQuery = $"SELECT {query} FROM [NOTEXISTINGTABLE]";
break;
case QueryScopeEnum.OrderBy:
completeQuery = $"SELECT * FROM [NOTEXISTINGTABLE] ORDER BY {query}";
break;
case QueryScopeEnum.Where:
completeQuery = $"SELECT * FROM [NOTEXISTINGTABLE] WHERE {query}";
break;
case QueryScopeEnum.Query:
completeQuery = query;
break;
default:
completeQuery = null;
break;
}
return completeQuery;
}检查where语句 test';WAITFOR DELAY '0:0:5'--
Expected but did not find a closing quotation mark after the character string '--.
检查orderby语句<columns><column name=\"GiftID\" header=\"GiftID\" type=\"asc\"></column><column name=\"GiftName\" header=\"\" type=\"asc\"></column></columns>
Incorrect syntax near <.