To prevent SQL injection, if the previous code uses stitching, you can use the following code to filter all stations, but this may affect all the commit data, you can call the following code on the query page alone.
Using System;
Using System.Collections.Generic;
Using System.Linq;
Using System.Web;
<summary>
Anti-SQL injection checker
</summary>
public class Sqlchecker
{
Current Request Object
Private HttpRequest request;
Current Response Object
Private HttpResponse response;
A secure URL that, when SQL injection occurs, will be directed to a secure page that stays on the current page if it is not assigned
private string safeurl = String.Empty;
SQL injection, the possible SQL keywords can be initialized according to their actual situation, each keyword by ' | ' Separate
Private Const string Strkeyword = @ "Select|insert|delete|from|count (|drop table|update|truncate|asc (|mid (|char (|XP _cmdshell|exec Master|netlocalgroup administrators|:| NET user| "" | Or|and ";
Private Const string Strkeyword = @ "Select|insert|delete|from|drop table|update|truncate|exec master|netlocalgroup administrators|:| NET User|or|and ";
SQL injection, may appear special symbols, can be initialized according to their actual situation, each symbol by ' | ' Separate
Private Const string Strregex = @ "-|;|,|/| (|)| [|]|}| {|%| @|*|!| ' ";
Private Const string Strregex = @ "=|!|";
Public Sqlchecker ()
{
//
TODO: Add constructor logic here
//
}
<summary>
An object created by this constructor that stays on the original page after validating the SQL injection
</summary>
<param name= "_request" > Request object for the currently requested </param>
<param name= "_response" > Response object of the current request </param>
Public Sqlchecker (HttpRequest _request, HttpResponse _response)
{
This.request = _request;
This.response = _response;
}
<summary>
The object created by this constructor, after validating the SQL injection, directs the request to the security URL page specified by _safeurl
</summary>
<param name= "_request" > Request object for the currently requested </param>
<param name= "_response" > Response object of the current request </param>
<param name= "_safeurl" > Verifying the Security url</param> that will be directed after SQL injection
Public Sqlchecker (HttpRequest _request, HttpResponse _response, String _safeurl)
{
This.request = _request;
This.response = _response;
This.safeurl = _safeurl;
}
<summary>
Read-only attribute SQL keyword
</summary>
public string KeyWord
{
Get
{
return Strkeyword;
}
}
<summary>
Read-only properties filter special characters
</summary>
public string regexstring
{
Get
{
return Strregex;
}
}
<summary>
Error messages that require prompt when SQL injection occurs (primarily scripts that run some clients)
</summary>
public string MSG
{
Get
{
String msg = "<script type= ' Text/javascript ' >"
+ "alert (' do not enter illegal characters! ');";
if (This.safeurl = = String.Empty)
msg + = "Window.location.href = '" + Request. RAWURL + "'";
Else
msg + = "Window.location.href = '" + Safeurl + "'";
msg + = "</script>";
return msg;
}
}
<summary>
Check the URL parameter for possible keywords with SQL injection.
</summary>
<returns> returns TRUE if SQL injection keyword is present, otherwise returns false</returns>
public bool Checkrequestquery ()
{
BOOL result = FALSE;
if (Request. Querystring.count! = 0)
{
If the parameters exist in the URL, the parameters are checked individually.
foreach (String queryname in this.request.QueryString)
{
Some special request state values, mainly some parameters about the page view state
if (queryname = = "__viewstate" | | queryname = = "__eventvalidation")
Continue
Start check whether the request parameter value is legitimate
if (Checkkeyword (request. Querystring[queryname]))
{
Exits directly if there is a parameter that might occur with SQL injection
result = true;
Break
}
}
}
return result;
}
<summary>
Check if a possible keyword for SQL injection exists in the submission form
</summary>
<returns> returns TRUE if SQL injection keyword is present, otherwise returns false</returns>
public bool Checkrequestform ()
{
BOOL result = FALSE;
if (Request. Form.count > 0)
{
If the number of form items that are submitted is not 0, the parameters are compared one by one
foreach (String queryname in This.request.Form)
{
Some special request state values, mainly some parameters about the page view state
if (queryname = = "__viewstate" | | queryname = = "__eventvalidation")
Continue
Start checking that the submitted form parameter values are legitimate
if (Checkkeyword (request. Form[queryname]))
{
Exits directly if there is a parameter that might occur with SQL injection
result = true;
Break
}
}
}
return result;
}
<summary>
Check to see if the _sword includes SQL keywords
</summary>
<param name= "_sword" > String to be checked </param>
<returns> returns TRUE if SQL injection keyword is present, otherwise returns false</returns>
public bool Checkkeyword (string _sword)
{
BOOL result = FALSE;
Pattern 1: Possible keywords corresponding to SQL injection
string[] Patten1 = strkeyword.split (' | ');
Pattern 2: Possible special symbols corresponding to SQL injection
string[] Patten2 = strregex.split (' | ');
Start Check mode 1:sql injection of possible keywords injection condition
foreach (String sqlkey in Patten1)
{
if (_sword.indexof ("" + Sqlkey) >= 0 | | _sword.indexof (Sqlkey + "") >= 0)
{
Exits directly if there is a parameter that might occur with SQL injection
result = true;
Break
}
}
Start Check mode 1:sql injection of possible special symbols
foreach (String sqlkey in Patten2)
{
if (_sword.indexof (Sqlkey) >= 0)
{
Exits directly if there is a parameter that might occur with SQL injection
result = true;
Break
}
}
return result;
}
<summary>
Perform SQL injection validation
</summary>
public void Check ()
{
if (Checkrequestquery () | | | Checkrequestform ())
{
Response. Write (MSG);
Response. End ();
}
}
}
When used, you can decide whether you want to make a global (that is, the entire application) SQL injection check
, or the SQL injection check for locality (that is, on a page)
/*=========== Global Settings: Add the following code to the Global.asax.cs =============
protected void Application_BeginRequest (Object sender, EventArgs e)
{
Sqlchecker sqlchecker = new Sqlchecker (this. Request,this. Response);
or Sqlchecker Sqlchecker = new Sqlchecker (this. Request,this. Response,safeurl);
Sqlchecker.check ();
}
/*============ locality: At any time, the following code can be used directly to implement SQL injection test ===============
Sqlchecker sqlchecker = new Sqlchecker (this. Request,this. Response);
or Sqlchecker Sqlchecker = new Sqlchecker (this. Request,this. Response,safeurl);
Sqlchecker.check ();
From http://www.jb51.net/article/34671.htm
C#.net full station code to prevent SQL injection classes