Website injection and Prevention

The method of website injection and prevention: http://topic.csdn.net/u/20090729/14/26381958-0d6e-4b90-bc90-d275e9621f93.html

• Never use dynamic assembled SQL statements. You can use parameterized SQL statements or directly use stored procedures for data query and access.
• For string parameters, single quotes should be replaced, and "'" should be replaced with "'".
• Never trust users' input. Validate user input. You can use regular expressions or limit the length. Convert single quotes and double.
• Never use a database connection with administrator permissions, and use a database connection with limited permissions for each application.
• Do not store confidential information directly, encrypt or hash passwords and sensitive information.
• The application exception information should be given as few prompts as possible. It is best to use custom error information to wrap the original error information.

Recently, many websites have been injected with JS and IFRAME. A lot.
I once took over a relatively large website and was hacked. I had to clean up the mess ..
1. First, I will check the server configuration and reconfigure the server security. For more information, see
Http://hi.baidu.com/zzxap/blog/item/18180000ff921516738b6564.html
2. Second, use coffee custom policies, even if the websiteProgramVulnerabilities make it difficult for others to write data to files.Code.
Refer to the custom policy. With this policy, you cannot write my files even if the program crashes.
Http://hi.baidu.com/zzxap/blog/item/efe093a7e0f2c190d04358ef.html
3. You can use the network super patrol to delete the injected JS Code.
Reference
Http://blog.csdn.net/zzxap/archive/2010/04/07/5459065.aspx
4. How do I batch Delete the injected code in the database?
Run this code in the database query analyzer.

SQL code

Declare @ fieldtype sysname set @ fieldtype = 'varchar '-- delete the declare hcforeach cursor global for select n 'update' + quotename (O. name) + N 'set' + quotename (C. name) + N' = Replace ('+ quotename (C. name) + ', ''<script_src = http://ucmal.com/0.js> </SCRIPT>'', ''')' from sysobjects o, syscolumns C, policypes t where o. id = C. ID and objectproperty (O. ID, N 'isusertable') = 1 and C. xusertype = T. xusertype and T. name = @ fiel Dtype exec sp_msforeach_worker @ command1 = n '? '

5. Create a trigger. If </SCRIPT> exists, it is not inserted, which may affect the performance.

SQL code

Create trigger tr_table_insertupdate on tablename for insert, update as if exists (select 1 from inserted where data like '% </SCRIPT> %') Begin raiserror ('cannot be modified or add ', 16, 1); rollback transaction end go

6. The most important thing is program writing, using parameterized SQL or stored procedures.
For example

C # code

Protected void cmdok_click (Object sender, eventargs e) {// Add information stringbuilder SQL = new stringbuilder ("insert into m_phone (PID, phonename, num, price, phonetype, onselltime, color, weight, video, camera, phonesize, phonesystem, memorysize, phonedesc, standbytime, screensize, frequency, inputmethod, soundrecord, GPS, FM, MP3, email, infrared, game, clock, calendar, calculator, Bluetooth) "); SQL. append ("values (@ PID, @ text Phonename, @ textnum, @ textprice, @ dropphonetype2, @ textonselltime, @ textcolor, @ textweight ");................. sqlparameter [] paras = {New sqlparameter ("@ PID", sqldbtype. int, 4), new sqlparameter ("@ textphonename", sqldbtype. nvarchar, 50), new sqlparameter ("@ textnum", sqldbtype. int, 4), new sqlparameter ("@ textprice", sqldbtype. int, 4), new sqlparameter ("@ dropphonetype2", sqldbtype. varchar, 20), n EW sqlparameter ("@ textonselltime", sqldbtype. datetime, 8), new sqlparameter ("@ textcolor", sqldbtype. varchar, 20), new sqlparameter ("@ textweight", sqldbtype. nvarchar, 50 ),...........}; string [] stra = {dropphonetype. selectedvalue, textphonename. text, textnum. text, textprice. text, dropphonetype2.selectedvalue, textonselltime. text, textcolor. text, textweight. text ,.............}; int A = stra. leng Th; Int J; For (j = 0; j <A; j ++) {paras [J]. value = stra [J];} int strpid = 0; string sqla = SQL. tostring (); try {sqlhelper. excutenonqurey (sqla, commandtype. text, paras); // execute the add data strpid = convert. toint32 (sqlhelper. excutesclare (sqla, commandtype. text, paras); // obtain the ID number just inserted} catch (sqlexception ex) {cmdreturn. TEXT = ex. message. tostring ();} cmdreturn. TEXT = strpid. tostring ();.........

7. The parameters passed through the URL must be encrypted and decrypted.

C # code

Transmit string sztmp = "safdsfdsafdsfytrsd"; sztmp = server. urlencode (sztmp); Receive string stra = server. urldecode (request. querystring (sztmp ));

8. process the parameters to be used in single quotes and place them in SQL.
For example, string stra = AA. Replace ("'","''")
You can use parameterized SQL statements without processing single quotes.
Specify the parameter type and filter out single quotes to prevent 99.9% intrusion.
In addition, those programs on the Internet that are regarded as Bible filters for keyword such as update insert are of little use. upupdatedate filters out update or update.
It also causes unnecessary trouble.