Analysis of data filtering in ASP.

In the case of ASP., most of the security issues raised are from the following three areas:
1. Upload
2. Cross-site
3. Inject
The security issue of uploading is beyond the scope of this article, and this is only a matter of cross-site and injection, both of which can be processed by filtering basically! Put the injection at the back of the most because, SQL injection played for so many years, we should have a certain precaution, as long as a little attention, can be played on the net above the injection or quite a few! Note the following points.
1. All the parameters. If it is of type int, convert to int and then process! Don't take boxes and unpacking! It is estimated that now everyone will not put SQL statements directly in the web, at least to use a few classes, the middle of some simple logic processing! Type conversion or to be involved in
2. Use parametric queries as much as possible!
3. At least to pay attention to filter single quotes (in fact, if the use of parameterized queries, not filtering is OK, but I still habitually filter)!
4. Do not directly expose the error naked to the user! This is not only to prevent injection, but also a user experience problem! By rewriting the OnError event, and then inheriting, can be very good processing!
and relative to the cross-site, anti-washing ear fan up more trouble, filtering has been a very tangled things, filtering is too strict, the impact of normal use, no filter, but also cause security problems! I have just written the filter to take out, perhaps there is no consideration of the place, I hope that everyone pointing,

public static string Stringfilters (string input) {if (string. IsNullOrEmpty (input)) return input; /* Cross-site attack. */input = input. Replace ("The", "the");//filter attack mode Javascript:alert (' XSS ') input = Regex.Replace (input, @ "javascript:", " javascript: ", regexoptions.ignorecase);//Filter JS attack mode: Javascript:alert (' XSS '); input = Regex.Replace (input, @ "VBScript:", "VBScript:", regexoptions.ignorecase);//Filter JS attack mode: Vbscript:msgbox (' XSS '); input = Regex.Replace (input, @ "J *a *v *a *s *c *r *i *p *t:", "VBScript:", regexoptions.ignorecase);//attack mode: Java Script:al ERT (' XSS '); input = Regex.Replace (input, @ "\/\*[ss]*\*\/", "<!--code-to", regexoptions.ignorecase); input = Regex.Replace (input, @ "expression", "expression", regexoptions.ignorecase); input = Regex.Replace (input, @ "<[\u0020]*style[^>]*>", "S:yle", regexoptions.ignorecase); input = Regex.Replace (input, @ "<[^>]*object[^>]*>", "objec&$58", regexoptions.ignorecase);//Attack mode <object type= "Text/x-scriptlet" Data= "http://www.cnblog.cn "></OBJECT> Note that this filter will not be able to use flash/* Various event filters */input = Regex.Replace (input, @" <[^>]*[\ U0020]+on[a-za-z]{3,20}[\u0020]*=[\u0020]*[^>]*> "," Js Event ", regexoptions.ignorecase);//input = input. Replace ("'", "'");//single quotation mark prevents SQL injection input = Regex.Replace (input, @ "script", "script", regexoptions.ignorecase);//Prevent scripting attacks input = Regex.Replace (input, @ "frame", "frame", regexoptions.ignorecase);//prevent iframe hanging horse input = Regex.Replace (input, @ " Form "," form ", regexoptions.ignorecase);//prohibit form submission input = Regex.Replace (input, @" meta "," Meta ", regexoptions.ignorecase );//prevent the use of meta-jump to illegal web page return input; }

To add, filter do not put the string into empty, so there is also a security problem, must be filtered into another string, such as filter hello, then the user can build such a character "You are good", through replace ("Hello", "") after the output of the results, I do not say you know!
In addition, here is the case of supporting HTML, so there is no direct consideration of the angle brackets!