Anti-injection code for JS and C # Respectively

Last Update:2018-12-08 Source: Internet

Author: User

Tags servervariables

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

If your query statement is select * from Admin where username = ''' "& user &" ''' and Password = ''' "& PWD &"'' ''"
Then, if my user name is: 1 ''' or ''' 1 ''' = ''' 1
Then, your query statement will become:
Select * from Admin where username = ''' 1 or ''' 1' 1 ''' = '''1' and Password = ''''" & PWD &"''''"
In this way, your query statements are passed and you can access your management interface.
Therefore, you need to check user input for defense purposes. In particular, some special characters, such as single quotes, double quotation marks, semicolons, commas, colons, and connection numbers, are converted or filtered.
Special characters and strings to be filtered include:
Net user
Xp_mongoshell
/Add
Exec master. DBO. xp_mongoshell
Net localgroup Administrators
Select
Count
ASC
Char
Mid
''''
:
"
Insert
Delete from
Drop table
Update
Truncate
From
%
Two sections of the JS version to prevent SQL injection attacks Code ~ :
[Code start]
<Script language = "JavaScript">
<! --
VaR url = Location-. search;
VaR Re =/^ \? (. *) (Select % 20 | insert % 20 | Delete % 20 from % 20 | count \ (| drop % 20table | update % 20 truncate % 20 | ASC \ (| mid \ (| char \ (| xp_mongoshell | exec % 20master | net % 20 localgroup % 20administrators | \ "|: | net % 20user | \ ''' | % 20or % 20 )(. *) $/GI;
VaR E = Re. Test (URL );
If (e ){
Alert ("the address contains invalid characters ~ ");
Location-href = "error. asp ";
}
// -->
<SCRIPT>
Login and password input judgment
// Prevents illegal string Injection
Function checkuseravoid (STR ){
VaR inj_str = "'| and | exec | insert | select | Delete | update | count | * | % | CHR | mid | master | truncate | char | declare |; | or |-| + | ,";
VaR sarray = new array ();
Sarray = inj_str.split ('| ');
For (VAR I = 0; I <inj_stra.length; I ++ ){
If (Str. indexof (inj_stra)> = 0)
Return true;
}
Return false;
}
[Code end]
Code for ASP to prevent SQL injection attacks ~ :
[Code start]
<%
On Error resume next
Dim strtemp
If lcase (request. servervariables ("HTTPS") = "off" then
Strtemp = "http ://"
Else
Strtemp = "https ://"
End if
Strtemp = strtemp & request. servervariables ("SERVER_NAME ")
If request. servervariables ("server_port") <> 80 then strtemp = strtemp & ":" & request. servervariables ("server_port ")
Strtemp = strtemp & request. servervariables ("url ")
If trim (request. querystring) <> "then strtemp = strtemp &"? "& Trim (request. querystring)
Strtemp = lcase (strtemp)
If instr (strtemp, "select % 20") or instr (strtemp, "insert % 20") or instr (strtemp, "Delete % 20 from") or instr (strtemp, "Count (") or instr (strtemp, "Drop % 20 table") or instr (strtemp, "Update % 20") or instr (strtemp, "truncate % 20 ") or instr (strtemp, "ASC (") or instr (strtemp, "mid (") or instr (strtemp, "char (") or instr (strtemp, "xp_{shell ") or instr (strtemp, "Exec % 20 master") or instr (strtemp, "net % 20 localgroup % 20 administrators") or instr (strtemp ,":") or instr (strtemp, "net % 20 user") or instr (strtemp, "'''") or instr (strtemp, "% 20or % 20") then
Response. Write "<script language = ''' JavaScript '''>"
Response. Write "alert (''' Invalid Address !! '''');"
Response. Write "location-href = ''' error. asp '''';"
Response. Write "<SCRIPT>"
End if
%>
[Code end]
C # Check strings to prevent SQL injection attacks
This example is tentatively set to "=" and "'''".
Bool checkparams (Params object [] ARGs)
{
String [] lawlesses = {"= ","''''"};
If (lawlesses = NULL | lawlesses. Length <= 0) return true;
// Construct a regular expression. For example, if lawlesses is the = and ''' signs, the regular expression is. * [=} ''']. * (for more information about regular expressions, see msdn)
// In addition, because I want to make a general and easy-to-Modify function, I have added a step from a character array to a regular expression. In actual use, I can directly write a regular expression;
String str_regex = ".*[";
For (INT I = 0; I <lawlesses. Length-1; I ++)
Str_regex + = lawlesses + "| ";
Str_regex + = lawlesses [lawlesses. Length-1] + "]. *";
//
Foreach (Object ARG in ARGs)
{
If (Arg is string) // if it is a string, directly check
{
If (RegEx. Matches (Arg. tostring (), str_regex). Count> 0)
Return false;
}
Else if (Arg is icollection) // if it is a set, check whether the element in the set is a string or not.
{
Foreach (Object OBJ in (icollection) Arg)
{
If (obj is string)
{
If (RegEx. Matches (obj. tostring (), str_regex). Count> 0)
Return false;
}
}
}
}
Return true;

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More