Using System;
Using System.Collections.Generic;
Using System.Linq;
Using System.Web;
<summary>
Anti-SQL injection checker
</summary>
public class Sqlchecker
{
Current Request Object
Private HttpRequest request;
Current Response Object
Private HttpResponse response;
A secure URL that, when SQL injection occurs, will be directed to a secure page that stays on the current page if it is not assigned
private string safeurl = String.Empty;
SQL injection, the possible SQL keywords can be initialized according to their actual situation, each keyword by ' | ' Separate
Private Const string Strkeyword = @ "Select|insert|delete|from|count (|drop table|update|truncate|asc (|mid (|char (|XP _cmdshell|exec Master|netlocalgroup administrators|:| NET user| "" | Or|and ";
Private Const string Strkeyword = @ "Select|insert|delete|from|drop table|update|truncate|exec master|netlocalgroup administrators|:| NET User|or|and ";
SQL injection, may appear special symbols, can be initialized according to their actual situation, each symbol by ' | ' Separate
Private Const string Strregex = @ "-|;|,|/| (|)| [|]|}| {|%| @|*|!| ' ";
Private Const string Strregex = @ "=|!|";
Public Sqlchecker ()
{
//
TODO: Add constructor logic here
//
}
<summary>
An object created by this constructor that stays on the original page after validating the SQL injection
</summary>
<param name= "_request" > Request object for the currently requested </param>
<param name= "_response" > Response object of the current request </param>
Public Sqlchecker (HttpRequest _request, HttpResponse _response)
{
This.request = _request;
This.response = _response;
}
<summary>
The object created by this constructor, after validating the SQL injection, directs the request to the security URL page specified by _safeurl
</summary>
<param name= "_request" > Request object for the currently requested </param>
<param name= "_response" > Response object of the current request </param>
<param name= "_safeurl" > Verifying the Security url</param> that will be directed after SQL injection
Public Sqlchecker (HttpRequest _request, HttpResponse _response, String _safeurl)
{
This.request = _request;
This.response = _response;
This.safeurl = _safeurl;
}
<summary>
Read-only attribute SQL keyword
</summary>
public string KeyWord
{
Get
{
return Strkeyword;
}
}
<summary>
Read-only properties filter special characters
</summary>
public string regexstring
{
Get
{
return Strregex;
}
}
<summary>
Error messages that require prompt when SQL injection occurs (primarily scripts that run some clients)
</summary>
public string MSG
{
Get
{
String msg = "<script type= ' Text/javascript ' >"
+ "alert (' do not enter illegal characters! ');";
if (This.safeurl = = String.Empty)
msg + = "Window.location.href = '" + Request. RAWURL + "'";
Else
msg + = "Window.location.href = '" + Safeurl + "'";
msg + = "</script>";
return msg;
}
}
<summary>
Check the URL parameter for possible keywords with SQL injection.
</summary>
<returns> returns TRUE if SQL injection keyword is present, otherwise returns false</returns>
public bool Checkrequestquery ()
{
BOOL result = FALSE;
if (Request. Querystring.count! = 0)
{
If the parameters exist in the URL, the parameters are checked individually.
foreach (String queryname in this.request.QueryString)
{
Some special request state values, mainly some parameters about the page view state
if (queryname = = "__viewstate" | | queryname = = "__eventvalidation")
Continue
Start check whether the request parameter value is legitimate
if (Checkkeyword (request. Querystring[queryname]))
{
Exits directly if there is a parameter that might occur with SQL injection
result = true;
Break
}
}
}
return result;
}
<summary>
Check if a possible keyword for SQL injection exists in the submission form
</summary>
<returns> returns TRUE if SQL injection keyword is present, otherwise returns false</returns>
public bool Checkrequestform ()
{
BOOL result = FALSE;
if (Request. Form.count > 0)
{
If the number of form items that are submitted is not 0, the parameters are compared one by one
foreach (String queryname in This.request.Form)
{
Some special request state values, mainly some parameters about the page view state
if (queryname = = "__viewstate" | | queryname = = "__eventvalidation")
Continue
Start checking that the submitted form parameter values are legitimate
if (Checkkeyword (request. Form[queryname]))
{
Exits directly if there is a parameter that might occur with SQL injection
result = true;
Break
}
}
}
return result;
}
<summary>
Check to see if the _sword includes SQL keywords
</summary>
<param name= "_sword" > String to be checked </param>
<returns> returns TRUE if SQL injection keyword is present, otherwise returns false</returns>
public bool Checkkeyword (string _sword)
{
BOOL result = FALSE;
Pattern 1: Possible keywords corresponding to SQL injection
string[] Patten1 = strkeyword.split (' | ');
Pattern 2: Possible special symbols corresponding to SQL injection
string[] Patten2 = strregex.split (' | ');
Start Check mode 1:sql injection of possible keywords injection condition
foreach (String sqlkey in Patten1)
{
if (_sword.indexof ("" + Sqlkey) >= 0 | | _sword.indexof (Sqlkey + "") >= 0)
{
Exits directly if there is a parameter that might occur with SQL injection
result = true;
Break
}
}
Start Check mode 1:sql injection of possible special symbols
foreach (String sqlkey in Patten2)
{
if (_sword.indexof (Sqlkey) >= 0)
{
Exits directly if there is a parameter that might occur with SQL injection
result = true;
Break
}
}
return result;
}
<summary>
Perform SQL injection validation
</summary>
public void Check ()
{
if (Checkrequestquery () | | | Checkrequestform ())
{
Response. Write (MSG);
Response. End ();
}
}
}
When used, you can decide whether you want to make a global (that is, the entire application) SQL injection check
, or the SQL injection check for locality (that is, on a page)
/*=========== Global Settings: Add the following code to the Global.asax.cs =============
protected void Application_BeginRequest (Object sender, EventArgs e)
{
Sqlchecker sqlchecker = new Sqlchecker (this. Request,this. Response);
or Sqlchecker Sqlchecker = new Sqlchecker (this. Request,this. Response,safeurl);
Sqlchecker.check ();
}
/*============ locality: At any time, the following code can be used directly to implement SQL injection test ===============
Sqlchecker sqlchecker = new Sqlchecker (this. Request,this. Response);
or Sqlchecker Sqlchecker = new Sqlchecker (this. Request,this. Response,safeurl);
Sqlchecker.check ();
From http://www.jb51.net/article/34671.htm
C#.net full station code to prevent SQL injection classes