In the server security section, I wrote an article titled cracking common SQL Injection prevention methods. Some common anti-injection methods do not filter cookie data, this leaves hackers with an opportunity. Of course, this code also filters the submitted cookie data.
Code:
Copy codeThe Code is as follows:
Using System;
Using System. Configuration;
Using System. Web;
Using System. Globalization;
Namespace JNYW. StuM. SqlInject
{
Public class SqlstrAny: IHttpModule
{
Public void Init (HttpApplication application)
{
Application. BeginRequest + = (new
EventHandler (this. Application_BeginRequest ));
}
Private void Application_BeginRequest (Object source, EventArgs e)
{
ProcessRequest pr = new ProcessRequest ();
Pr. StartProcessRequest ();
}
Public void Dispose ()
{
}
}
Public class ProcessRequest
{
Private static string SqlStr = System. Configuration. ConfigurationManager. etettings ["SqlInject"]. ToString ();
Private static string sqlErrorPage = System. Configuration. ConfigurationSettings. deleettings ["SQLInjectErrPage"]. ToString ();
///
/// Used to identify whether a stream is transmitted
///
///
///
Bool IsUploadRequest (HttpRequest request)
{
Return StringStartsWithAnotherIgnoreCase (request. ContentType, "multipart/form-data ");
}
///
/// Compare content type
///
///
///
///
Private static bool StringStartsWithAnotherIgnoreCase (string s1, string s2)
{
Return (string. Compare (s1, 0, s2, 0, s2.Length, true, CultureInfo. InvariantCulture) = 0 );
}
// SQL injection attack code analysis
# Region SQL injection attack code analysis
///
/// Process user-submitted requests
///
Public void StartProcessRequest ()
{
HttpRequest Request = System. Web. HttpContext. Current. Request;
HttpResponse Response = System. Web. HttpContext. Current. Response;
Try
{
String getkeys = "";
If (IsUploadRequest (Request) return; // exit if the stream is passed
// String Parameters
If (Request. QueryString! = Null)
{
For (int I = 0; I <Request. QueryString. Count; I ++)
{
Getkeys = Request. QueryString. Keys [I];
If (! ProcessSqlStr (Request. QueryString [getkeys])
{
Response. Redirect (sqlErrorPage + "? Errmsg = QueryString contains an invalid string & sqlprocess = true ");
Response. End ();
}
}
}
// Form parameters
If (Request. Form! = Null)
{
For (int I = 0; I <Request. Form. Count; I ++)
{
Getkeys = Request. Form. Keys [I];
If (! ProcessSqlStr (Request. Form [getkeys])
{
Response. Redirect (sqlErrorPage + "? Errmsg = Form contains an invalid string & sqlprocess = true ");
Response. End ();
}
}
}
// Cookie Parameters
If (Request. Cookies! = Null)
{
For (int I = 0; I <Request. Cookies. Count; I ++)
{
Getkeys = Request. Cookies. Keys [I];
If (! ProcessSqlStr (Request. Cookies [getkeys]. Value ))
{
Response. Redirect (sqlErrorPage + "? Errmsg = Cookie contains an invalid string & sqlprocess = true ");
Response. End ();
}
}
}
}
Catch
{
// Error handling: process user submitted information!
Response. Clear ();
Response. Write ("CustomErrorPage configuration error ");
Response. End ();
}
}
///
/// Analyze whether the user request is normal
///
/// Input the user to submit data
/// Return the SQL injection attack code
Private bool ProcessSqlStr (string Str)
{
Bool ReturnValue = true;
Try
{
If (Str! = "")
{
String [] anySqlStr = SqlStr. Split ('| ');
Foreach (string ss in anySqlStr)
{
If (Str. IndexOf (ss)> = 0)
{
ReturnValue = false;
Break;
}
}
}
}
Catch
{
ReturnValue = false;
}
Return ReturnValue;
}
# Endregion
}
}
In actual use, we need to add the above Code in the configuration section of the Web. config file.
The following is the sample code:
Copy codeThe Code is as follows:
<! -- Anti-injection settings -->
<Add value = "and | exec | insert | select | delete | update | count | * | chr | mid | master | truncate | char | declare" key = "SQLInject"/>
<Add value = "ShowErr. aspx" key = "SQLInjectErrPage"/>
Add the following code to the <SYSTEM. Web> file of the WEB. Config file. The following is the sample code:
Copy codeThe Code is as follows:
<! -- Anti-injection settings -->
<HTTPMODULES>
<ADD name = "SqlstrAny" type = "JNYW. StuM. SqlInject. SqlstrAny, SqlstrAny"/>
</HTTPMODULES>