ASPX anti-injection program V1.0

This article can exchange http://bbs.2cto.com/read.php with the author here? Tid = 96014

Although ASP. NET is a highly secure scripting language, but it is often seen in ASP.. NET website injection due to lax filtering. because ASP. NET is basically used with MMSQL database setup. If the permission is too large, it is easy to be attacked. in addition, no good ASP can be found on the network. NET injection prevention script, so I wrote it myself. this sharing aims to free programmers from the troubles of SQL injection.

I have written two versions, VB. NET and C #, to facilitate the use of different programs.

= 700) window. open (http://www.bkjia.com/uploads/allimg/131121/213559A95-0.jpg); "height = 241 src =" http://www.bkjia.com/uploads/allimg/131121/213559A95-0.jpg "width = 560 onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>

= 700) window. open (http://www.bkjia.com/uploads/allimg/131121/2135591L8-1.jpg); "height = 269 src =" http://www.bkjia.com/uploads/allimg/131121/2135591L8-1.jpg "width = 569 onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>

Description:
1. XP + IIS5.1 + Access + MSSQL2000 passed the test.
2. Considering that most of ASPX and MMSQL databases are used together, the MMSQL keyword is added here.
3. Place it in the database connection code, which is similar to ASP usage.


C # Code:

Public void JK1986_CheckSql ()
{
String jk1986_ SQL = "exec statements select statements drop statements alter statements exists except union statements and statements or both xor two order statements mid sequence asc statements execute statements before xp_statement shell statements insert statements update statements delete statements join statements declare invalid char should sp_oacreate should wscript. shell response xp_regwrite response failed; response -- Response % ";
String [] jk_ SQL = jk1986_ SQL .Split (bytes );
Foreach (string jk in jk_ SQL)
{
// ----------------------- Anti-Post injection -----------------------
If (Page. Request. Form! = Null)
{
For (int k = 0; k <Page. Request. Form. Count; k ++)
{
String getsqlkey = Page. Request. Form. Keys [k];
String getip;
If (Page. Request. Form [getsqlkey]. ToLower (). Contains (jk) = true)
{
Response. Write ("<script Language = JavaScript> alert (ASP. NET (C #) Anti-injection program prompts you, please do not submit illegal characters! Rows \ n \ nBlog = 700) window. open (http://www.bkjia.com/uploads/allimg/131121/2135594F7-2.gif); "src =" http://www.bkjia.com/uploads/allimg/131121/2135594F7-2.gif "onload =" if (this. width> 700) this. width = 700; if (this. height> 700) this. height = 700; "border = 0>Http://hi.baidu.com/ahhacker86\ N \ nBy: Phantom★Swordsman & JK1986); </"+" script> ");
Response. Write ("invalid operation! The system makes the following record "+" <br> ");
If (Request. ServerVariables ["HTTP_X_FORWARDED_FOR"]! = Null)
{
Getip = this. Page. Request. ServerVariables ["HTTP_X_FORWARDED_FOR"];
}
Else
{
Getip = Page. Request. ServerVariables ["REMOTE_ADDR"];
}
Response. Write ("operation I P:" + getip + "<br> ");
Response. Write ("operation time:" + DateTime. Now. ToString () + "<br> ");
Response. Write ("Operation Page:" + Page. Request. ServerVariables ["URL"] + "<br> ");
Response. Write ("delivery method: p o s t" + "<br> ");
Response. Write ("Submit parameter:" + jk + "<br> ");
Response. Write ("submit data:" + Page. Request. Form [getsqlkey]. ToLower () + "<br> ");
Response. End ();
}
}
}
// ----------------------- Prevent GET injection -----------------------
If (Page. Request. QueryString! = Null)
{
For (int k = 0; k <Page. Request. QueryString. Count; k ++)
{