In the server security section, I wrote an article titled cracking common SQL Injection prevention methods. Article As mentioned in, some common anti-injection methods do not filter cookie data, leaving hackers with an opportunity. Of course, my section Code The submitted cookie data is also filtered.
Code:
Copy code The Code is as follows: using system;
Using system. configuration;
Using system. Web;
Using system. Globalization;
Namespace jnyw. stum. sqlinject
{
Public class sqlstrany: ihttpmodule
{
Public void Init (httpapplication Application)
{
Application. beginrequest + = (New
Eventhandler (this. application_beginrequest ));
}
Private void application_beginrequest (Object source, eventargs E)
{
Processrequest Pr = new processrequest ();
Pr. startprocessrequest ();
}
Public void dispose ()
{
}
}
Public class processrequest
{
Private Static string sqlstr = system. configuration. configurationmanager. etettings ["sqlinject"]. tostring ();
Private Static string sqlerrorpage = system. configuration. configurationsettings. deleettings ["sqlinjecterrpage"]. tostring ();
///
/// Used to identify whether a stream is transmitted
///
///
///
Bool isuploadrequest (httprequest request)
{
Return stringstartswithanotherignorecase (request. contenttype, "multipart/form-Data ");
}
///
/// Compare content type
///
///
///
///
Private Static bool stringstartswithanotherignorecase (string S1, string S2)
{
Return (string. Compare (S1, 0, S2, 0, s2.length, true, cultureinfo. invariantculture) = 0 );
}
// SQL injection attack code analysis
# Region SQL injection attack code analysis
///
/// Process user-submitted requests
///
Public void startprocessrequest ()
{
Httprequest request = system. Web. httpcontext. Current. request;
Httpresponse response = system. Web. httpcontext. Current. response;
Try
{
String getkeys = "";
If (isuploadrequest (request) return; // exit if the stream is passed
// String Parameters
If (request. querystring! = NULL)
{
For (INT I = 0; I <request. querystring. Count; I ++)
{
Getkeys = request. querystring. Keys [I];
If (! Processsqlstr (request. querystring [getkeys])
{
Response. Redirect (sqlerrorpage + "? Errmsg = querystring contains an invalid string & sqlprocess = true ");
Response. End ();
}
}
}
// Form parameters
If (request. form! = NULL)
{
For (INT I = 0; I <request. Form. Count; I ++)
{
Getkeys = request. Form. Keys [I];
If (! Processsqlstr (request. Form [getkeys])
{
Response. Redirect (sqlerrorpage + "? Errmsg = form contains an invalid string & sqlprocess = true ");
Response. End ();
}
}
}
// Cookie Parameters
If (request. Cookies! = NULL)
{
For (INT I = 0; I <request. Cookies. Count; I ++)
{
Getkeys = request. Cookies. Keys [I];
If (! Processsqlstr (request. Cookies [getkeys]. Value ))
{
Response. Redirect (sqlerrorpage + "? Errmsg = cookie contains an invalid string & sqlprocess = true ");
Response. End ();
}
}
}
}
Catch
{
// Error handling: process user submitted information!
Response. Clear ();
Response. Write ("customerrorpage configuration error ");
Response. End ();
}
}
///
/// Analyze whether the user request is normal
///
/// Input the user to submit data
/// Return the SQL injection attack code
Private bool processsqlstr (string Str)
{
Bool returnvalue = true;
Try
{
If (STR! = "")
{
String [] anysqlstr = sqlstr. Split ('| ');
Foreach (string SS in anysqlstr)
{
If (Str. indexof (SS)> = 0)
{
Returnvalue = false;
Break;
}
}
}
}
Catch
{
Returnvalue = false;
}
Return returnvalue;
}
# Endregion
}
}
In actual use, we need to add the above Code in the configuration section of the web. config file.
The following is the sample code:Copy codeThe Code is as follows: <! -- Anti-injection settings -->
<Add value = "and | exec | insert | select | Delete | update | count | * | CHR | mid | master | truncate | char | declare" Key = "sqlinject"/>
<Add value = "showerr. aspx" Key = "sqlinjecterrpage"/>
Add the following code to the <system. Web> file of the web. config file. The following is the sample code:Copy codeThe Code is as follows: <! -- Anti-injection settings -->
<Httpmodules>
<Add name = "sqlstrany" type = "jnyw. stum. sqlinject. sqlstrany, sqlstrany"/>
</Httpmodules>