3///
4///determine if there is a SQL attack code in the string
5///
6///Incoming user submission data
7///true-security; false-has injection attack existing;
8public bool Processsqlstr (string inputstring)
9{
Ten string sqlstr = @ "and|or|exec|execute|insert|select|delete|update|alter|create|drop|count|\*|chr|char|asc|mid| Substring|master|truncate|declare|xp_cmdshell|restore|backup|net +user|net +localgroup +administrators ";
One-try
12{
if (inputstring! = null) && (inputstring! = String.Empty))
14{
String Str_regex = @ "\b (" + sqlstr + @ ") \b";
16
The regex regex = new Regex (Str_regex, regexoptions.ignorecase);
//string s = Regex.match (inputstring). Value;
if (true = = Regex.IsMatch (inputstring))
return false;
21st
22}
23}
Catch
25{
return false;
27}
return true;
29}
30
31
32///
33///handles user-submitted requests, verifies SQL injection attacks, and runs when the page is installed
34///system.configuration.configurationsettings.appsettings["ErrorPage"]. ToString (); For the user to customize the error page prompt address,
35///Add a errorpage to the Web. config file
36///
37///
38///
39public void ProcessRequest ()
40{
Try
42{
Getkeys string = "";
Sqlerrorpage string = system.configuration.configurationsettings.appsettings["ErrorPage"]. ToString ();
if (System.Web.HttpContext.Current.Request.QueryString! = null)
46{
47
(int i = 0; i < System.Web.HttpContext.Current.Request.QueryString.Count; i++)
49{
Getkeys = System.web.httpcontext.current.request.querystring.keys[i];
Wuyi if (! Processsqlstr (System.web.httpcontext.current.request.querystring[getkeys]))
52{
System.Web.HttpContext.Current.Response.Redirect (Sqlerrorpage + "? errmsg=" + Getkeys + "There is a suspected SQL attack!" ");
System.Web.HttpContext.Current.Response.End ();
55}
56}
57}
if (System.Web.HttpContext.Current.Request.Form! = null)
59{
(int i = 0; i < System.Web.HttpContext.Current.Request.Form.Count; i++)
61{
Getkeys = System.web.httpcontext.current.request.form.keys[i];
if (! Processsqlstr (System.web.httpcontext.current.request.form[getkeys]))
64{
System.Web.HttpContext.Current.Response.Redirect (Sqlerrorpage + "? errmsg=" + Getkeys + "There is a suspected SQL attack!" ");
System.Web.HttpContext.Current.Response.End ();
67}
68}
69}
70}
# catch
72{
73//Error Handling: Processing user submission information!
74}
75}
76#endregion
77
78
79
80
81#region Converting SQL code (also prevents SQL injection attacks, which can be used in the business logic layer, but requires decoding when the UI layer enters data)
82///
83///Extract character fixed length
84///
85///
86///
87///
88public string Checkstringlength (String inputstring, Int32 maxLength)
89{
(inputstring! = null) && (inputstring! = String.Empty))
91{
InputString = Inputstring.trim ();
93
94 if (Inputstring.length > MaxLength)
inputstring = inputstring.substring (0, maxLength);
96}
InputString return;
98}
99
100///
101///the SQL-sensitive word in the input string, replacing it with "[sensitive word]", requiring the output to be replaced
102///
103///
104///
105public string myencodeinputstring (String inputstring)
106{
107//The sensitive word to be replaced
108 String sqlstr = @ "and|or|exec|execute|insert|select|delete|update|alter|create|drop|count|\*|chr|char|asc|mid| Substring|master|truncate|declare|xp_cmdshell|restore|backup|net +user|net +localgroup +administrators ";
109 Try
110{
111 if ((inputstring! = null) && (inputstring! = String.Empty))
112{
113 String Str_regex = @ "\b (" + sqlstr + @ ") \b";
114
The regex regex = new Regex (Str_regex, regexoptions.ignorecase);
//string s = Regex.match (inputstring). Value;
117 MatchCollection matches = regex.matches (inputstring);
118 for (int i = 0; i < matches. Count; i++)
119 inputstring = Inputstring.replace (Matches[i]. Value, "[" + matches[i]. Value + "]");
120
121}
122}
123 catch
124{
Return "";
126}
127 return inputstring;
128
129}
130
131///
132///will have replaced the "[Sensitive word]", converted back to "sensitive word"
133///
134///
135///
136public string mydecodeoutputstring (String outputstring)
137{
138//The sensitive word to be replaced
139 String sqlstr = @ "and|or|exec|execute|insert|select|delete|update|alter|create|drop|count|\*|chr|char|asc|mid| Substring|master|truncate|declare|xp_cmdshell|restore|backup|net +user|net +localgroup +administrators ";
Try
141{
142 if ((outputstring! = null) && (outputstring! = String.Empty))
143{
144 string Str_regex = @ "\[\b (" + sqlstr + @ ") \b\]";
145 Regex regex = new Regex (Str_regex, regexoptions.ignorecase);
146 MatchCollection matches = regex.matches (outputstring);
147 for (int i = 0; i < matches. Count; i++)
148 outputstring = outputstring. Replace (Matches[i]. Value, Matches[i]. Value.substring (1, matches[i]. value.length-2));
149
150}
151}
Catch
153{
154 return "";
155}
156 return outputstring;
157}
SQL anti-Vulnerability Injection attack summary
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
