[Original] C # general permission management-program security check, you must consider this bit,

[Original] C # general permission management-program security check, you must consider this bit,

I have been familiar with general permission for a year and now I am very familiar with it. I will share some good development ideas under general permission management.

Security vulnerabilities may not be of special importance to a small project. This is especially important for a large project, especially during project development, below I will list some security issues that need to be paid attention to during project development.

In software development, the two most commonly used HTML elements are the input text box and the button tag. When a user uses the keyboard, the mouse operation text box inputs the text content, click Submit. The first step is required for data verification.

• B/S text box

  The required regular expression is used in each text box. Here, a better Regular Expression link is shared.Common Regular Expressions

  Some page security check tools are used for detection. Here we will first list the AppScan Source, a security check tool used in our development, some of its usage tips. Here we will also provide a link for AppScan to use and share.

• C/S text box

  Dev for DevExpress Winform Program Development provides good regular expressions.

• Interface Security

When our interface is called through the Internet, it is very insecure. When someone else knows the URL, it can be easily called. Because I am responsible for the company's SMS interface, every day, the interface for sending text messages is constantly called. Many clients are mobilized and tens of thousands of text messages are generated. If hackers know it, this is the SMS bomber, so for security reasons, I made some processing in the interface and called the interface through the Intranet IP address. The Internet IP address is stopped. Check the code.

1 // obtain the request Url 2 var ipAddress = DotNet. business. utilities. getIPAddress (true); 3 // The interface can be called only when it is an intranet Ip request. if the security check does not meet the requirements, 4 if (! IpHelper. IsLocalIp (ipAddress) 5 {6 result = (int) MessageStatus. IpError; 7 return result; 8}

In fact, there is not a lot of code, just a few lines of code, this can meet the security requirements, the client call must fill in the Intranet domain name or IP request address, so that the program can pass the check, let's take a look at this method to obtain the IP address. The true parameter indicates whether the proxy mode is enabled on your server. Generally, if the server does not use the nginx proxy, it can be left blank, if the server is a proxy, you must enter true to obtain the real IP address of the Request client.

1 // <summary> 2 // obtain the Client IP address 3 /// </summary> 4 // <param name = "transparent"> whether a proxy is used </ param> 5 // <returns> ip address </returns> 6 public static string GetIPAddress (bool transparent = false) 7 {8 string ip = string. empty; 9 if (System. web. httpContext. current! = Null) 10 {11 if (transparent) 12 {13 if (HttpContext. Current. Request. ServerVariables ["HTTP_X_FORWARDED_FOR"]! = Null) 14 {15 ip = HttpContext. current. request. serverVariables ["HTTP_X_FORWARDED_FOR"]. toString (); 16} 17} 18 if (string. isNullOrWhiteSpace (ip) 19 {20 if (HttpContext. current. request. serverVariables ["HTTP_VIA"]! = Null) 21 {22 ip = HttpContext. current. request. serverVariables ["HTTP_X_FORWARDED_FOR"]. toString (); 23} 24 else25 {26 ip = HttpContext. current. request. serverVariables ["REMOTE_ADDR"]. toString (); 27} 28} 29} 30 return ip; 31}

Next, let's check whether the IP address is a local IP address. The intranet address generally starts with 192.168 and so on and is the server's intranet address. so we can check whether the IP address is an intranet IP address at the beginning.

1 /// <summary> 2 /// check whether the Intranet IP address is 3 /// </summary> 4 /// <param name = "ipAddress"> </param> 5 /// <returns> </returns> 6 public static bool IsLocalIp (string ipAddress) 7 {8 bool result = false; 9 if (! String. isNullOrEmpty (ipAddress) 10 {11 if (ipAddress. startswith( "192.168. ") 12 | ipAddress. startswith( "172. ") 13 | ipAddress. startsWith ("10. ") 14 {15 result = true; 16} 17} 18 return result; 19}

• SQL Security

For common text boxes in front-end requests, you must prevent SQL statement check before entering the database. In the code of general permission management, we generally use strong types of entities to add, delete, modify, and query databases, I am not applicable to database operations by concatenating SQL statements. I have always been disgusted with splicing SQL statements and submitting them to the database for execution. Although this problem was very helpful during debugging, I quickly found out where the SQL statement error was, however, this is incorrect from the perspective of procedural rigor. Object-oriented tells us to use more entities and use more strong types. Currently, splicing SQL statements is usually something that cainiao just like to do, so we must use the ORM quick development framework in Development (I personally recommend the general permission management ORM Development Framework ), compatible with multiple databases, flexible switchover, fast execution speed, no SQL statement splicing on the UI Layer, parameterized query, multi-Table query, and paging.

For SQL Injection Vulnerabilities, referSQL injection vulnerability,For the parameter values submitted to the backend, we must perform security checks.

1 # region public static string SqlSafe (string value) check the parameter Security 2 // <summary> 3 // check the parameter Security 4 /// </summary> 5 /// <param name = "value"> Parameter </param> 6 // <returns> safe parameter </returns> 7 public static string SqlSafe (string value) 8 {9 value = value. replace ("'", "'' "); 10 // value = value. replace ("%", "'%"); 11 return value; 12} 13 # endregion

Let's take a look at the complete paging request case code. This is a summary of some general permission management security issues.

 

# Region public ActionResult List (Pager pager, string beginDate, string endDate, string oldRecordKey, string newValue) get the modification record /// <summary> /// obtain the modification record /// </summary> /// <param name = "pager"> paging object </param>/ // <param name = "beginDate"> Start date </param> // <param name = "endDate"> end date </param> /// <param name = "oldRecordKey"> original primary key value, it is generally the ticket No. </param> /// <param name = "newValue"> new value after modification </param> /// <returns> </returns> pub Lic ActionResult List (Pager pager, string beginDate, string endDate, string oldRecordKey, string newValue) {var dt1 = DateTime. now; var dbHelper = DbHelperFactory. getHelper (BaseSystemInfo. businessDbType, BaseSystemInfo. businessDbConnectionString); var paramaterList = new List <KeyValuePair <string, object> (); var listWhere = new List <string> (); // query condition string conditions = null; // Date range of change if (! String. IsNullOrEmpty (beginDate )&&! String. isNullOrEmpty (endDate) {listWhere. add (string. format ("{0} BETWEEN TO_DATE ({1}, 'yyyy-mm-dd hh24: mi: ss') AND TO_DATE ({2 }, 'yyyy-mm-dd hh24: mi: ss') ", ZTO_MODIFYEntity.FieldCREATE_DATE, dbHelper. getParameter ("beginTime"), dbHelper. getParameter ("endTime"); paramaterList. add (new KeyValuePair <string, object> ("beginTime", DbLogic. sqlSafe (Convert. toDateTime (beginDate + "00:00:00 "). toString (BaseS YstemInfo. dateTimeFormat); paramaterList. add (new KeyValuePair <string, object> ("endTime", DbLogic. sqlSafe (Convert. toDateTime (endDate + "23:59:59 "). toString (BaseSystemInfo. dateTimeFormat);} // original primary key value if (! String. isNullOrEmpty (oldRecordKey) {listWhere. add (string. format ("{0} = {1}", ZTO_MODIFYEntity.FieldRECORED_KEY_OLD, dbHelper. getParameter (ZTO_MODIFYEntity.FieldRECORED_KEY_OLD); paramaterList. add (new KeyValuePair <string, object> (dbHelper. getParameter (ZTO_MODIFYEntity.FieldRECORED_KEY_OLD), DbLogic. sqlSafe (oldRecordKey);} // new value after modification if (! String. isNullOrEmpty (newValue) {listWhere. add (string. format ("{0 }={ 1}", ZTO_MODIFYEntity.FieldVALUE_NEW, dbHelper. getParameter (ZTO_MODIFYEntity.FieldVALUE_NEW); paramaterList. add (new KeyValuePair <string, object> (dbHelper. getParameter (ZTO_MODIFYEntity.FieldVALUE_NEW), DbLogic. sqlSafe (newValue);} // if (! HasRole () {listWhere. add (string. format ("{0} = {1}", ZTO_MODIFYEntity.FieldCREATE_MAN_ID, dbHelper. getParameter (ZTO_MODIFYEntity.FieldCREATE_MAN_ID); paramaterList. add (new KeyValuePair <string, object> (dbHelper. getParameter (ZTO_MODIFYEntity.FieldCREATE_MAN_ID), UserInfo. id);} // obtain the sorting field var sortField = Request ["sort"]; if (string. isNullOrEmpty (sortField) {sortField = ZTO_MODIFYEntity.FieldCREATE_DATE;} sortField + = ("" + Request ["direction"]); int totalRows; if (listWhere. count> 0) {conditions + = string. join ("AND", listWhere); // construct a query condition} // return the column name var backFieldList = new [] {string. format ("({0} | '-' | {1}) {0}", region, ZTO_MODIFYEntity.FieldTABLE_NAME), ZTO_MODIFYEntity.FieldCREATE_DATE, region, ZTO_MODIFYEntity.FieldCREATE_MAN}; var dt = DbLogic. getDataTableByPage (dbHelper, out totalRows, ZTO_MODIFYEntity.TableName, string. join (",", backFieldList), pager. pageNo, pager. pageSize, conditions, paramaterList, sortField); Hashtable ht = BuildHt (dt, totalRows, dt1); return Json (ht, JsonRequestBehavior. allowGet) ;}# endregion

 

A good ORM framework can help us deal with some simple interfaces at work, saving time, that is, saving lives.

I am reading this kid's shoes from my blog. I think you are so angry that you have a secret of the king in your conversation. You will do something in the future! With the word "recommendation" next to it, you can just click it. it's accurate. I don't accept anything. If you're not sure, you can come back to me!