asp.net of data filtration-practical skills

Source: Internet
Author: User
Tags sql injection
In ASP.net, most of the security problems arise from the following three areas:
1. Upload
2. Cross-station
3. Inject
The security issue of uploading is beyond the scope of this article, where only the problem of Cross station and injection is discussed, both of which are basically filtered! Put the injection in the back is because, SQL injection played for so many years, we should have a certain precautions, as long as a little attention, can play on the asp.net above the injection is still quite small! Note the following points.
1. All the parameters. If it is of type int, please convert to int again! Don't take boxes and unboxing! It is estimated that now everyone will not put the SQL statement directly in the Web stitching, at least to use a few classes, the middle of some simple logic to deal with! Type conversions are still involved.
2. Use parameterized query as far as possible!
3. At least pay attention to filter single quotes (in fact, if the use of parameterized query, do not filter is OK, but I still habitually filter)!
4. Do not directly to the wrong naked exposed to the user! This is not just to prevent injection, but also a user experience problem! By rewriting the OnError event, inheriting again, can be handled very well!
and relative to cross station, anti-wash ear fan up on a lot of trouble, filtration has been a very tangled things, filtration is too strict, the impact of normal use, did not filter good, but also caused security problems! I have just written the filter class out, perhaps there is no consideration of the place, I hope that everyone to guide,
Copy Code code as follows:

public static string Stringfilters (String input)
{
if (string. IsNullOrEmpty (input))
return input;
* * Cross Station attack
input = input. Replace ("&#", "&#");/filter &# attack mode Javascript:alert (' XSS ')
input = Regex.Replace (input, @ "javascript:", "javascript:", regexoptions.ignorecase);/filter JS attack mode: Javascript:alert (' XSS ");
input = Regex.Replace (input, @ "VBScript:", "VBScript:", regexoptions.ignorecase);//Filter JS attack mode: Vbscript:msgbox (' XSS ');
input = Regex.Replace (input, @ "J *a *v *a *s *c *r *i *p *t:", "VBScript:", regexoptions.ignorecase);//attack mode: Java Script:al ERT (' XSS ');
input = Regex.Replace (input, @ "\/\*[ss]*\*\/", "<!--code-->", regexoptions.ignorecase);
input = Regex.Replace (input, @ "expression", "expression", regexoptions.ignorecase);
input = Regex.Replace (input, @ "<[\u0020]*style[^>]*>", "S:yle", regexoptions.ignorecase);
input = Regex.Replace (input, @ "<[^>]*object[^>]*>", "objec&$58", regexoptions.ignorecase);//Attack mode <object type= "Text/x-scriptlet" Data= "http://www.cnblog.cn" ></OBJECT> note that you will not be able to use flash after filtering
/* All kinds of event filtration * *
input = Regex.Replace (input, @ "<[^>]*[\u0020]+on[A-Za-z]{3,20}[\u0020]*=[\u0020]*[^>]*>", "Js Event", Regexoptions.ignorecase);//
input = input. Replace ("'", "'");//single quotation mark prevents SQL injection
input = Regex.Replace (input, @ "script", "script", regexoptions.ignorecase);//Prevent script attack
input = Regex.Replace (input, @ "frame", "frame", regexoptions.ignorecase);//prevent IFrame from hanging horses
input = Regex.Replace (input, @ "form", "form", regexoptions.ignorecase);//Prohibit form submission
input = Regex.Replace (input, @ "meta", "meta", regexoptions.ignorecase);//prevent meta jump to illegal web page
return input;
}

Add, filter do not put strings into empty, this also has security problems, must be more than another string, such as filtering Hello, then the user can build such a character "You are good", through the replace ("Hello", ""), the output results, I do not say everyone knows!
In addition, this is considered to support the HTML situation, so there is no direct worry about the angle bracket!
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.