Asp. Anti-SQL injection code and instance in net

First, the verification method

The code is as follows

Copy Code

/// SQL injection filtering /// String///to filter returns True if there is an unsafe character for the parameter public static bool SqlFilter2 (string intext) { String word= "And|exec|insert|select|delete|update|chr|mid|master|or|truncate|char|declare|join"; if (intext==null) return false; foreach (String i in Word.) Split (' | ')) { if (Intext.tolower (). IndexOf (i+ "") >-1) | | (Intext.tolower (). IndexOf ("" "+i) >-1)) { return true; } } return false; }

Second, the Global.asax incident

The code is as follows

Copy Code

/// Triggers event when data is handed in /// protected void Application_BeginRequest (Object sender, EventArgs e) { Traverse the post parameter, except for hidden fields foreach (String i in this. Request.Form) { if (i== "__viewstate") continue; This.goerr (this. Request.Form.ToString ()); } Traverses the get parameter. foreach (String i in this. Request.QueryString) { This.goerr (this. Request.querystring[i]. ToString ()); } }

Three, a method in global

The code is as follows	Copy Code
/// Verify that there are SQL characters in the parameter /// private void Goerr (String tm) { if (WLCW. Extend.CValidity.SqlFilter2 (tm)) This. Response.Redirect ("/error.html"); }

Instance

Usually one file modification is not only troublesome but also has the risk of missing, I will say how to prevent injection from the whole system.

Do the following three steps, I believe that the program will be more secure, and the entire site will be the maintenance of a simple change.

First, data validation class

The following is a code fragment:

The code is as follows

Copy Code

ParameterCheck.cs public class parametercheck{ public static bool Isemail (string emailstring) { Return System.Text.RegularExpressions.Regex.IsMatch (emailstring, "['/w_-]+" (/.[' /w_-]+) *@['/w_-]+ (/.[') /w_-]+) * *. [A-za-z] {2,4} "); } public static bool Isint (string intstring) { Return System.Text.RegularExpressions.Regex.IsMatch (intstring, "^ (/d{5}-/d{4}) |" ( /D{5}) $"); } public static bool Isuszip (string zipstring) { Return System.Text.RegularExpressions.Regex.IsMatch (zipstring, "^-[0-9]+ $|^[0-9]+ $"); } }

Second, web.config

In your Web.config file, add a label below, as follows:

The following is a code fragment:

The code is as follows	Copy Code
<appSettings> <add key= "Safeparameters" value= "Orderid-int32,customeremail-email,shippingzipcode-uszip"/> </appSettings>

Where key is followed by the value "Orderid-int32", where "-" preceded by the name of the parameter such as: OrderId, followed by the int32 represents the data type.

Third, Global.asax

Add the following paragraph to the Global.asax:

The code is as follows

Copy Code

The following is a code fragment: protected void Application_BeginRequest (Object sender, EventArgs e) { string[] Safeparameters = System.Configuration.ConfigurationSettings.AppSettings ["Safeparameters"]. ToString (). Split (', '); for (int i= 0; i < safeparameters.length; i++) { String parametername = safeparameters.split ('-') [0]; String parametertype = safeparameters.split ('-') [1]; Isvalidparameter (ParameterName, parametertype); } } public void Isvalidparameter (string parametername, String parametertype) { String parametervalue = Request.querystring[parametername]; if (ParameterValue = null) return; if (Parametertype.equals ("Int32")) { if (!parametercheck.isint (ParameterValue)) Response.Redirect ("parametererror.aspx"); } else if (parametertype.equals ("double")) { if (!parametercheck.isdouble (ParameterValue)) Response.Redirect ("parametererror.aspx"); } else if (parametertype.equals ("Uszip")) { if (!parametercheck.isuszip (ParameterValue)) Response.Redirect ("parametererror.aspx"); } else if (parametertype.equals ("email")) { if (!parametercheck.isemail (ParameterValue)) Response.Redirect ("parametererror.aspx"); } }

Later need to modify the time we only need to modify the above three files, the entire system maintenance will be greatly improved efficiency, of course, you can according to their own needs to add other variable parameters and data types.