How does asp.net prevent SQL injection?

1. What is SQL injection attacks? 　　 The so-called SQL injection attack means that an attacker inserts an SQL command into the input field of a Web form or the query string requested by the page, and deceives the server to execute malicious SQL commands. In some forms, the content entered by users is directly used to construct (or affect) dynamic SQL commands or as input parameters of stored procedures. Such forms are particularly vulnerable to SQL injection attacks. Common SQL injection attacks include: 　　 (1) An ASP. NET Web application has a logon page that controls whether the user has the right to access the application. It requires the user to enter a name and password. 　　 (2) The content entered on the logon page is directly used to construct dynamic SQL commands, or directly used as parameters of stored procedures. The following is an example of constructing a query for an ASP. NET application: 　　 System. Text. StringBuilder query = new System. Text. StringBuilder ("select * from Users where login = '"). Append (txtLogin. Text ). Append ("'AND password = '"). Append (txtPassword. Text ). Append ("'"); 　　 (3) The attacker enters "'or '1' = '1" in the username and password input boxes. 　　 (4) After the content entered by the user is submitted to the server, the server runs the above ASP.. NET code is used to construct the SQL command to query users. However, because the content entered by attackers is very special, the final SQL command obtained is: select * from Users where login = ''or '1' = '1' AND password ='' or '1' = '1 '. 　　 The login server performs queries or stored procedures to compare the user-entered identity information with the identity information stored on the server. 　　 Because SQL commands have been modified by injection attacks and cannot actually authenticate user identities, the system will incorrectly authorize attackers. 　　 If the attacker knows that the application will directly use the content entered in the form for identity authentication queries, he will try to input some special SQL strings to tamper with the query and change its original function, the spoofing system grants access permissions. 　　 The system environment is different, and attackers may cause different damages, which is mainly determined by the security permissions of the application to access the database. If the user's account has administrator or other advanced permissions, attackers may perform various operations on the database table, including adding, deleting, or updating data, you may even directly Delete the table. 　　 2. How to prevent such attacks? 　　 Fortunately, ASP. it is not particularly difficult for a NET application to be intruded by SQL injection attacks. You only need to filter all input content before using the content entered in the form to construct an SQL command. You can filter the input content in multiple ways. 　　 (1) The following technologies can be used to dynamically construct SQL queries: 　　 First, replace the single quotation marks (single quotes) to change all single quotes to two single quotes to prevent attackers from modifying the meaning of SQL commands. Let's take a look at the previous example, "select * from Users where login = '''' or ''1'' = ''1' AND password = '''' or ''1'' = ''1 '" obviously, different results will be obtained from "select * from Users where login ='' or '1' = '1' AND password = ''or '1' = '1. 　　 2. delete all the characters in user input to prevent attackers from constructing queries such as "select * from Users where login = 'mas '-- AND password =, because the second half of this type of query has been commented out and is no longer valid, attackers only need to know a valid user logon name and do not need to know the user's password to obtain access permissions.