One. net Program To prevent SQL injection, use the following method: Code Add to the Global. asax file: ///<Summary> /// Prevent SQL Injection ///</Summary> ///<Param> </param> ///<Param> </param> VoidApplication_beginrequest (ObjectSender,EventargsE) { Startprocessrequest (); }
# RegionSQLInjection attack code analysis
///<Summary> /// Process user-submitted requests ///</Summary> Private VoidStartprocessrequest () { Try { StringGetkeys =""; StringSqlerrorpage ="Error. aspx";// Error prompt page for redirection If(System. Web.Httpcontext. Current. Request. querystring! =Null) { For(IntI = 0; I <system. Web.Httpcontext. Current. Request. querystring. Count; I ++) { Getkeys = system. Web.Httpcontext. Current. Request. querystring. Keys [I]; If(! Processsqlstr (system. Web.Httpcontext. Current. Request. querystring [getkeys]) { System. Web.Httpcontext. Current. response. Redirect (sqlerrorpage ); System. Web.Httpcontext. Current. response. End (); } } } If(System. Web.Httpcontext. Current. Request. form! =Null) { For(IntI = 0; I <system. Web.Httpcontext. Current. Request. Form. Count; I ++) { Getkeys = system. Web.Httpcontext. Current. Request. Form. Keys [I]; If(Getkeys ="_ Viewstate")Continue; If(! Processsqlstr (system. Web.Httpcontext. Current. Request. Form [getkeys]) { System. Web.Httpcontext. Current. response. Redirect (sqlerrorpage ); System. Web.Httpcontext. Current. response. End (); } } } } Catch { // Error Handling: process user submitted information! } } ///<Summary> /// Analyze whether user requests are normal ///</Summary> ///<Param> Input user to submit data </Param> ///<Returns> Returns whether the SQL injection attack code is included. </Returns> Private BoolProcesssqlstr (StringStr) { BoolReturnvalue =True; Try { If(Str. Trim ()! ="") { StringSqlstr ="And. Exec. Insert. Select. Delete. Update. Count. *. CHR. Mid. master. truncate. Char. Declare"; String[] Anysqlstr = sqlstr. Split ('.'); Foreach(StringSSInAnysqlstr) { If(Str. tolower (). indexof (SS)> = 0) { Returnvalue =False; Break; } } } } Catch { Returnvalue =False; } ReturnReturnvalue; } # Endregion Method 2: Add a class in the app_code folderThe content of sqlzr. CS is as follows: Public Class Sqlzr { PublicSqlzr () { // // Todo: Add the constructor logic here // } Public Static StringDelsqlstr (StringStr) { If(STR =Null| STR ="") Return ""; STR = Str. Replace (";",""); STR = Str. Replace ("'",""); STR = Str. Replace ("&",""); STR = Str. Replace ("% 20",""); STR = Str. Replace ("--",""); STR = Str. Replace ("=",""); STR = Str. Replace ("<",""); STR = Str. Replace (">",""); STR = Str. Replace ("%",""); STR = Str. Replace ("+",""); STR = Str. Replace ("-",""); STR = Str. Replace ("=",""); STR = Str. Replace (",",""); ReturnSTR; } }
Then
Request. querystring ["ID"]Changed:
Sqlzr
. Delsqlstr (request. querystring ["ID"])You can.