ASP. NET filter class SqlFilter, prevents SQL Injection Original, sqlfilterfont

Source: Internet
Author: User
Tags sql injection attack sql injection prevention

ASP. NET filter class SqlFilter, prevents SQL Injection Original, sqlfilterfont

What is SQL injection?

I understand that SQL Injection allows some people to execute this SQL statement in the background through malicious parameter input to obtain data or destroy the database!
For a simple query example, the backend SQL statements are concatenated: select * from Test where name = '+ parameter transfer +'; if the front-end page requires the input name, the hacker can enter :'; drop table Test; -- Do not underestimate this SQL code:
Select * from Test where name = ''; drop table Test; -- '; it is correct and executable in SQL, but the entire Test TABLE is deleted after execution, website crash!

Best Solution

The best way is to use parameterized SQL instead of concatenating SQL statements. We recommend that you use new projects. I will not introduce it here. If you are interested, you can search for it by yourself. The method described in this article is suitable for old projects, that is, programs that are not developed using parameterized SQL.

Filter Using the filter function

Filter out some dangerous SQL keywords, comments, percentage signs, and semicolons that do not appear during normal code writing, this ensures SQL Execution security to the maximum extent. The Code is as follows:

Public class SqlFilter {public static void Filter () {string fileter_ SQL = "execute, exec, select, insert, update, delete, create, drop, alter, exists, table, sysobjects, truncate, union, and, order, xor, or, mid, cast, where, asc, desc, xp_javasshell, join, declare, nvarchar, varchar, char, sp_oacreate, wscript. shell, xp_regwrite, ', %,;, -- "; try {// ----------------------- anti-Post injection ----------------------- if (HttpContext. current. R Equest. Form! = Null) {PropertyInfo isreadonly = typeof (System. collections. specialized. nameValueCollection ). getProperty ("IsReadOnly", BindingFlags. instance | BindingFlags. nonPublic); // change the Form attribute to isreadonly. setValue (HttpContext. current. request. form, false, null); for (int k = 0; k <System. web. httpContext. current. request. form. count; k ++) {string getsqlkey = HttpContext. current. request. form. keys [k]; string Sqlstr = HttpContext. current. request. form [getsqlkey]; string [] replace_sqls = fileter_ SQL .Split (','); foreach (string replace_ SQL in replace_sqls) {sqlstr = Regex. replace (sqlstr, replace_ SQL, "", RegexOptions. ignoreCase);} HttpContext. current. request. form [getsqlkey] = sqlstr ;}// ----------------------- anti-GET injection ------------------------- if (HttpContext. current. request. queryString! = Null) {PropertyInfo isreadonly = typeof (System. collections. specialized. nameValueCollection ). getProperty ("IsReadOnly", BindingFlags. instance | BindingFlags. nonPublic); // change the QueryString attribute to isreadonly. setValue (HttpContext. current. request. queryString, false, null); for (int k = 0; k <System. web. httpContext. current. request. queryString. count; k ++) {string getsqlkey = HttpContext. current. request. QueryString. keys [k]; string sqlstr = HttpContext. current. request. queryString [getsqlkey]; string [] replace_sqls = fileter_ SQL .Split (','); foreach (string replace_ SQL in replace_sqls) {sqlstr = Regex. replace (sqlstr, replace_ SQL, "", RegexOptions. ignoreCase);} HttpContext. current. request. queryString [getsqlkey] = sqlstr ;}// ------------------------- anti-Cookie injection ----------------------- if (HttpConte Xt. Current. Request. Cookies! = Null) {PropertyInfo isreadonly = typeof (System. collections. specialized. nameValueCollection ). getProperty ("IsReadOnly", BindingFlags. instance | BindingFlags. nonPublic); // change the cookie attribute to isreadonly. setValue (HttpContext. current. request. cookies, false, null); for (int k = 0; k <System. web. httpContext. current. request. cookies. count; k ++) {string getsqlkey = HttpContext. current. request. cookies. keys [k]; string sqlstr = HttpContext. current. request. cookies [getsqlkey]. value; string [] replace_sqls = fileter_ SQL .Split (','); foreach (string replace_ SQL in replace_sqls) {sqlstr = Regex. replace (sqlstr, replace_ SQL, "", RegexOptions. ignoreCase);} HttpContext. current. request. cookies [getsqlkey]. value = sqlstr ;}} catch (Exception ex) {Console. writeLine (ex. message );}}}
Articles you may be interested in:
  • Asp.net prevents SQL injection attacks
  • In SQL injection, the injection continues without the single quotation mark.
  • SQL injection attack code detected in asp.net
  • My views on asp.net's prevention of SQL injection attacks
  • Asp.net uses HttpModule to prevent SQL Injection
  • Implementation Code of asp.net (C #) Anti-SQL Injection component
  • SQL Database Advanced SQL injection knowledge
  • Implement general SQL Injection prevention programs in the Global. asax file (applicable to post/get requests)
  • C #. net full-site code to prevent SQL Injection
  • Database SqlParameter insertion to prevent SQL Injection implementation code
  • C # three methods to prevent SQL Injection code
  • Summary of defense against SQL Injection

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.