What is SQL injection?
My understanding of SQL injection is that some people can use malicious parameters input, let the background execute this SQL, and then achieve the purpose of obtaining data or destroying the database!
For a simple query example, background SQL is stitched: SELECT * from Test where name= ' + parameter pass + '; The front page asks for name, so the hacker can enter: ';D ROP TABLE test;--Don't underestimate this SQL code:
SELECT * from Test where name= ';D rop table test;--'; is correct in SQL, executable, but after execution the whole Test table is deleted, the website crashes!
The best way to solve
The best way is not to write the stitching SQL, instead of using parameterized SQL, recommend new projects to use. Here do not introduce, interested friends can self-search, this article describes the method suitable for the old project, is not the use of parameterized SQL development program.
Use filter functions to filter
There are some dangerous keywords for SQL, as well as the comment percent sign and semicolon, which are all filtered out at all when we normally write code, so as to maximize the security of SQL execution, the code is as follows:
public class sqlfilter{public static void Filter () {String fileter_sql = "Execute,exec,select,insert,update,delete, Create,drop,alter,exists,table,sysobjects,truncate,union,and,order,xor,or,mid,cast,where,asc,desc,xp_cmdshell, Join,declare,nvarchar,varchar,char,sp_oacreate,wscript.shell,xp_regwrite, ',%,;,--"; try {//-----------------------anti-Post injection-----------------------if (HttpContext.Current.Request.Form! = null {PropertyInfo isreadonly = typeof (System.Collections.Specialized.NameValueCollection). GetProperty ("IsReadOnly", BindingFlags.Instance | BindingFlags.NonPublic); Change the Form property to read-write IsReadOnly. SetValue (HttpContext.Current.Request.Form, false, NULL); for (int k = 0; k < System.Web.HttpContext.Current.Request.Form.Count; k++) {String getsqlkey = Httpco ntext. CURRENT.REQUEST.FORM.KEYS[K]; String sqlstr = Httpcontext.current.request.form[getsqlkey]; string[] Replace_sqls = Fileter_sql. SplIt (', '); foreach (String replace_sql in Replace_sqls) {sqlstr = Regex.Replace (Sqlstr, Replace_sql, "", REGEXOP tions. IgnoreCase); } Httpcontext.current.request.form[getsqlkey] = Sqlstr; }}//-----------------------anti-GET injection-----------------------if (HttpContext.Current.Request.QueryString ! = null) {PropertyInfo isreadonly = typeof (System.Collections.Specialized.NameValueCollection). GetProperty ("IsReadOnly", BindingFlags.Instance | BindingFlags.NonPublic); Change the QueryString property to read-write IsReadOnly. SetValue (HttpContext.Current.Request.QueryString, false, NULL); for (int k = 0; k < System.Web.HttpContext.Current.Request.QueryString.Count; k++) {String Getsqlkey = HTTPCONTEXT.CURRENT.REQUEST.QUERYSTRING.KEYS[K]; String sqlstr = Httpcontext.current.request.querystring[getsqlkey]; string[] Replace_sqls = Fileter_sql. Split (', '); foreach (String rePlace_sql in replace_sqls) {sqlstr = Regex.Replace (Sqlstr, Replace_sql, "", regexoptions.ignorecase); } Httpcontext.current.request.querystring[getsqlkey] = Sqlstr; }}//-----------------------anti-Cookie injection-----------------------if (HttpContext.Current.Request.Cookies ! = null) {PropertyInfo isreadonly = typeof (System.Collections.Specialized.NameValueCollection). GetProperty ("IsReadOnly", BindingFlags.Instance | BindingFlags.NonPublic); Change the cookie attribute to read/write IsReadOnly. SetValue (HttpContext.Current.Request.Cookies, false, NULL); for (int k = 0; k < System.Web.HttpContext.Current.Request.Cookies.Count; k++) {String getsqlkey = Htt PCONTEXT.CURRENT.REQUEST.COOKIES.KEYS[K]; String sqlstr = Httpcontext.current.request.cookies[getsqlkey]. Value; string[] Replace_sqls = Fileter_sql. Split (', '); foreach (String replace_sql in Replace_sqls) { Sqlstr = Regex.Replace (Sqlstr, Replace_sql, "", regexoptions.ignorecase); } Httpcontext.current.request.cookies[getsqlkey]. Value = Sqlstr; }}} catch (Exception ex) {Console.WriteLine (ex). Message); } } }