Search code examples
c#csv-injection

C# conditions not working same for bool values


I have a piece of code, in which I set true or false depending upon the conditions.

Below is that code

public bool HackerTextExistOrNot(string text)
    {
        bool flgValid = false;
        var attackChars = new char[] { '=', '+', '-', '@' };

        if(attackChars.Contains(text[0]))
        {
            flgValid = false;
        }
        else
        {
            flgValid = true;
        }
        return flgValid;
    }

I have checked for both the bool conditions, but it always goes in strReturnId in main function.

Below is the code.

public static string SaveRecord(RRSOCSaving RRSOCSaving, string Indication)
        {
            string strReturnId = "";
            string strAppURL = ConfigurationManager.AppSettings["AppUrl"].ToString();
            string strmail_Content = "";

            CommonDB commonObj = new CommonDB();

            GET_DATA_BY_STORE objGetData = new GET_DATA_BY_STORE();

            try
            {
                if (objGetData.HackerTextExistOrNot(RRSOCSaving.STORE_CODE) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.STATE) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.CITY) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.SITE_STORE_FORMAT) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.STORE_SITENAME) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.STORE_SITENAME_LANDL_1) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.STORE_SITENAME_LANDL_2) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.STORE_ASST_MANAGER_NAME) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.STORE_ASST_MANAGER_MOBNO) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.STORE_MANAGER_NAME) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.MANAGER_MOBNO) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.EMP_NEAREST_STORE) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.EMP_NEAREST_STORE_MOBNO) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.SUPERVISOR_NAME) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.SUPERVISOR_MOBNO) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.SECURITY_SUP_NAME_STORE) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.SECURITY_SUP_MOBNO_STORE) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.NAME_ALIGNED_LPO) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.LPO_MOBILENO) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.ALPM_ALPO_NAME) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.ALPM_ALPO_MOBNO) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.AREA_MANAGER_NAME) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.AREA_MANAGER_MOBNO) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.ZONAL_HEAD_NAME) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.ZONAL_HEAD_NO) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.DVR_IP_ADDRESS) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.SIGNET_IP_ADDRESS) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.NEAREST_POLICE_STN_NAME) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.NEAREST_POLICE_STN_CONTNO) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.NEAREST_HOSP_NAME) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.NEAREST_HOSP_CONTNO) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.NEAREST_FIRE_STN_CONTNAME) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.NEAREST_FIRE_STN_CONTNO) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.STORE_ADDRESS) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.STORE_SPACE_SQFT) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.LAUNCH_DATE) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.CST_TIN_NO) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.STORE_EMAILID) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.NO_OF_POS) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.NO_OF_CAMERA) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.DVR_MODEL_GESECURITY) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.CAMERA_MODEL) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.ALIGNED_LPO_MAILDID) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.FACILTY_TEAMNAME) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.FACILITY_TEAMNO) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.STATE_HEAD_OPS_NAME) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.STATE_HEAD_OPS_NO) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.LPA) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.SLP_STATE_HEAD) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.SLP_STATE_HEAD_NO) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.UserName) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.CREATED_DATE) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.UserName) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.LAST_UPDATED_DATE) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.ISACTIVE) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.LATITUDE) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.LONGITUDE) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.SLP_EMAILID) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.ZONAL_ECNUMBER) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.ZONAL_NAME) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.SLP_STATE_ECNUMBER) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.ALPM_ALPO_ECNUMBER) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.IS_STORE_IN_MALL) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.MALL_CONTROL_ROOM_NO) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.IS_NIGHT_SEC_GUARD_AVAIL) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.NIGHT_SEC_GUARD_NAME) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.NIGHT_SEC_GUARD_NO) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.IS_NIGHT_PATROL_PARTY_AVAIL) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.PATROL_PARTY_NAME) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.PATROL_PARTY_NO) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.ALPM_ALPO_EMAILID) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.ALIGNED_LPO_ECNUMBER) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.SLP_STATE) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.FORMAT_GROUP) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.ALPM_NAME) ||
                    objGetData.HackerTextExistOrNot(RRSOCSaving.ALPM_ECNUMBER))
                {
                    strReturnId = "Something went wrong due to malicious script attack..!!!";
                }
                else
                {

                    if (RRSOCSaving.ROLE_ASSIGNED == "SLP State Head")
                    {
                        bool blnState1 = Array.Exists(RRSOCSaving.ASSIGNED_STATE.ToString().ToUpper().Split(','), element => element == (RRSOCSaving.STATE).ToString().ToUpper());

                        if (blnState1)
                        {
                            strmail_Content = Get_Email_Content(RRSOCSaving.STORE_CODE, RRSOCSaving.UserName, Indication, RRSOCSaving.STATE, RRSOCSaving.SITE_STORE_FORMAT, RRSOCSaving.STORE_SITENAME);
                            //  SendEmail(RRSOCSaving.UserName, RRSOCSaving.STORE_CODE, RRSOCSaving.SLP_EMAILID, ConfigurationManager.AppSettings["NHQEmail"].ToString(), strmail_Content, Indication);
                            strReturnId = CommonDB.INSERT_INTO_RRSOC_INFO(RRSOCSaving, Indication);
                        }
                        else
                        {
                            strReturnId = "User can add data for " + RRSOCSaving.ASSIGNED_STATE + " only";
                        }
                    }
                    else if (RRSOCSaving.ROLE_ASSIGNED == "NHQ Admin")
                    {
                        strmail_Content = Get_Email_Content(RRSOCSaving.STORE_CODE, RRSOCSaving.UserName, Indication, RRSOCSaving.STATE, RRSOCSaving.SITE_STORE_FORMAT, RRSOCSaving.STORE_SITENAME);
                        // SendEmail(RRSOCSaving.UserName, RRSOCSaving.STORE_CODE, RRSOCSaving.SLP_EMAILID, ConfigurationManager.AppSettings["NHQEmail"].ToString(), strmail_Content, Indication);
                        strReturnId = CommonDB.INSERT_INTO_RRSOC_INFO(RRSOCSaving, Indication);
                        //strReturnId = "Record Saved Succesfully";
                    }

                }

            }
            catch (Exception)
            {
                throw;
            }

            return strReturnId;

        }

UPDATE I mean to say always in

strReturnId = "Something went wrong due to malicious script attack..!!!";


Solution

  • It seems like your

    HackerTextExistOrNot

    method returns true when hacker text does NOT exist. Instead of using flgValid just return attackChars.Contains(text[0]) and it should be working correctly.

    One more thing - you are creating table each time entering this method, you might consider refactoring this code.