Anti-injection code for JS and C # Respectively

Source: Internet
Author: User
Tags servervariables

If your query statement is select * from Admin where username = ''' "& user &" ''' and Password = ''' "& PWD &"'' ''"
Then, if my user name is: 1 ''' or ''' 1 ''' = ''' 1
Then, your query statement will become:
Select * from Admin where username = ''' 1 or ''' 1' 1 ''' = '''1' and Password = ''''" & PWD &"''''"
In this way, your query statements are passed and you can access your management interface.
Therefore, you need to check user input for defense purposes. In particular, some special characters, such as single quotes, double quotation marks, semicolons, commas, colons, and connection numbers, are converted or filtered.
Special characters and strings to be filtered include:
Net user
Xp_mongoshell
/Add
Exec master. DBO. xp_mongoshell
Net localgroup Administrators
Select
Count
ASC
Char
Mid
''''
:
"
Insert
Delete from
Drop table
Update
Truncate
From
%
Two sections of the JS version to prevent SQL injection attacks Code ~ :
[Code start]
<Script language = "JavaScript">
<! --
VaR url = Location-. search;
VaR Re =/^ \? (. *) (Select % 20 | insert % 20 | Delete % 20 from % 20 | count \ (| drop % 20table | update % 20 truncate % 20 | ASC \ (| mid \ (| char \ (| xp_mongoshell | exec % 20master | net % 20 localgroup % 20administrators | \ "|: | net % 20user | \ ''' | % 20or % 20 )(. *) $/GI;
VaR E = Re. Test (URL );
If (e ){
Alert ("the address contains invalid characters ~ ");
Location-href = "error. asp ";
}
// -->
<SCRIPT>
Login and password input judgment
// Prevents illegal string Injection
Function checkuseravoid (STR ){
VaR inj_str = "'| and | exec | insert | select | Delete | update | count | * | % | CHR | mid | master | truncate | char | declare |; | or |-| + | ,";
VaR sarray = new array ();
Sarray = inj_str.split ('| ');
For (VAR I = 0; I <inj_stra.length; I ++ ){
If (Str. indexof (inj_stra)> = 0)
Return true;
}
Return false;
}
[Code end]
Code for ASP to prevent SQL injection attacks ~ :
[Code start]
<%
On Error resume next
Dim strtemp
If lcase (request. servervariables ("HTTPS") = "off" then
Strtemp = "http ://"
Else
Strtemp = "https ://"
End if
Strtemp = strtemp & request. servervariables ("SERVER_NAME ")
If request. servervariables ("server_port") <> 80 then strtemp = strtemp & ":" & request. servervariables ("server_port ")
Strtemp = strtemp & request. servervariables ("url ")
If trim (request. querystring) <> "then strtemp = strtemp &"? "& Trim (request. querystring)
Strtemp = lcase (strtemp)
If instr (strtemp, "select % 20") or instr (strtemp, "insert % 20") or instr (strtemp, "Delete % 20 from") or instr (strtemp, "Count (") or instr (strtemp, "Drop % 20 table") or instr (strtemp, "Update % 20") or instr (strtemp, "truncate % 20 ") or instr (strtemp, "ASC (") or instr (strtemp, "mid (") or instr (strtemp, "char (") or instr (strtemp, "xp_{shell ") or instr (strtemp, "Exec % 20 master") or instr (strtemp, "net % 20 localgroup % 20 administrators") or instr (strtemp ,":") or instr (strtemp, "net % 20 user") or instr (strtemp, "'''") or instr (strtemp, "% 20or % 20") then
Response. Write "<script language = ''' JavaScript '''>"
Response. Write "alert (''' Invalid Address !! '''');"
Response. Write "location-href = ''' error. asp '''';"
Response. Write "<SCRIPT>"
End if
%>
[Code end]
C # Check strings to prevent SQL injection attacks
This example is tentatively set to "=" and "'''".
Bool checkparams (Params object [] ARGs)
{
String [] lawlesses = {"= ","''''"};
If (lawlesses = NULL | lawlesses. Length <= 0) return true;
// Construct a regular expression. For example, if lawlesses is the = and ''' signs, the regular expression is. * [=} ''']. * (for more information about regular expressions, see msdn)
// In addition, because I want to make a general and easy-to-Modify function, I have added a step from a character array to a regular expression. In actual use, I can directly write a regular expression;
String str_regex = ".*[";
For (INT I = 0; I <lawlesses. Length-1; I ++)
Str_regex + = lawlesses + "| ";
Str_regex + = lawlesses [lawlesses. Length-1] + "]. *";
//
Foreach (Object ARG in ARGs)
{
If (Arg is string) // if it is a string, directly check
{
If (RegEx. Matches (Arg. tostring (), str_regex). Count> 0)
Return false;
}
Else if (Arg is icollection) // if it is a set, check whether the element in the set is a string or not.
{
Foreach (Object OBJ in (icollection) Arg)
{
If (obj is string)
{
If (RegEx. Matches (obj. tostring (), str_regex). Count> 0)
Return false;
}
}
}
}
Return true;

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.