Program
Author: Amoy Net
Source: Amoy Net
NOTE: Reprint please indicate the source
Prevent SQL injection, usually a file modification is not only troublesome but also the risk of leakage, I would say how to prevent injection from the whole system.
Do the following three steps, I believe that the program will be more secure, and the entire site will be the maintenance of a simple change.
First, the Data validation class:
ParameterCheck.cs
public class parametercheck{
public static bool Isemail (string emailstring) {
Return System.Text.RegularExpressions.Regex.IsMatch (emailstring, "[' \\w_-]+" (\\.[' \\w_-]+) *@[' \\w_-]+ (\\.[' \\w_-]+) *\\. [A-za-z] {2,4} ");
}
public static bool Isint (string intstring) {
Return System.Text.RegularExpressions.Regex.IsMatch (intstring, "^ (\\d{5}-\\d{4}) |" ( \\D{5}) $ ");
}
public static bool Isuszip (string zipstring) {
Return System.Text.RegularExpressions.Regex.IsMatch (zipstring, "^-[0-9]+$|^[0-9]+$");
}
}
Second, web.config
In your Web.config file, add a label below <appSettings>:
<appSettings>
<add key= "Safeparameters" value= "Orderid-int32,customeremail-email,shippingzipcode-uszip"/>
</appSettings>
Where key is <saveParameters> after the value is "Orderid-int32", where "-" preceded by the name of the parameter, such as: OrderId, followed by the int32 represents the data type.
Third, Global.asax
Add the following paragraph to the Global.asax:
protected void Application_BeginRequest (Object sender, EventArgs e) {
string[] safeparameters = system.configuration.configurationsettings.appsettings["SafeParameters"]. ToString (). Split (', ');
for (int i= 0; i < safeparameters.length; i++) {
String parametername = safeparameters[i]. Split ('-') [0];
String parametertype = safeparameters[i]. Split ('-') [1];
Isvalidparameter (ParameterName, parametertype);
}
}
public void Isvalidparameter (string parametername, String parametertype) {
String parametervalue = Request.querystring[parametername];
if (ParameterValue = null) return;
if (Parametertype.equals ("Int32")) {
if (!parametercheck.isint (ParameterValue)) Response.Redirect ("parametererror.aspx");
}
else if (parametertype.equals ("double")) {
if (!parametercheck.isdouble (ParameterValue)) Response.Redirect ("parametererror.aspx");
}
else if (parametertype.equals ("Uszip")) {
if (!parametercheck.isuszip (ParameterValue)) Response.Redirect ("parametererror.aspx");
}
else if (parametertype.equals ("email")) {
if (!parametercheck.isemail (ParameterValue)) Response.Redirect ("parametererror.aspx");
}
}
Later need to modify the time we only need to modify the above three files, the entire system maintenance will be greatly improved efficiency, of course, you can according to their own needs to add other variable parameters and data types.