Asp.net anti-injection method)

To prevent SQL injection, modifying files one by one is not only troublesome but also dangerous. Next I will explain how to prevent injection from the entire system.

Follow these three steps:ProgramIt will be safer and the maintenance of the entire website will become simpler.

I. Data Verification

Parametercheck. CS public class parametercheck {
Public static bool isemail (string emailstring ){
Return System. Text. regularexpressions. RegEx. ismatch (emailstring, "['" W _-] + ("". [' "W _-] +)
* @ ['"W _-] + ("". ['"W _-] + )*"". [A-Za-Z] {2, 4 }");
}
Public static bool isint (string intstring ){
Return System. Text. regularexpressions. RegEx. ismatch (intstring, "^ (" "d {5}-" "d {4}) | (" "d {5 })
$ ");
}
Public static bool isuszip (string zipstring ){
Return System. Text. regularexpressions. RegEx. ismatch (zipstring, "^-[0-9] + $ | ^ [0-9] + $ ");
}
}
Ii. Web. config

Add a tag in your web. config file as follows:

Key is followed by a value such as "OrderId-int32", where "-" represents the name of the parameter such as: orderid, followed by int32 represents the data type.

Iii. Global. asax

Add the following section to global. asax:

Protected void application_beginrequest (Object sender, eventargs e ){
String [] safeparameters = system. configuration. configurationsettings. deleettings
["Safeparameters"]. tostring (). Split (',');
For (INT I = 0; I <safeparameters. length; I ++ ){
String parametername = safeparameters [I]. Split ('-') [0];
String parametertype = safeparameters [I]. Split ('-') [1];
Isvalidparameter (parametername, parametertype );
}
}

Public void isvalidparameter (string parametername, string parametertype ){
String parametervalue = request. querystring [parametername];
If (parametervalue = NULL) return;

If (parametertype. Equals ("int32") {
If (! Parametercheck. isint (parametervalue) response. redirect ("parametererror. aspx ");
}< br> else if (parametertype. equals ("uszip") {
If (! Parametercheck. isuszip (parametervalue) response. redirect ("parametererror. aspx ");
}< br> else if (parametertype. equals ("email") {
If (! Parametercheck. isemail (parametervalue) response. redirect ("parametererror. aspx ");
}< BR >}< br> in the future, we only need to modify the above three files. Maintenance of the entire system will greatly improve the efficiency, of course, you can add other variable parameters and data types as needed.