Implement general SQL Injection prevention program in the Global. asax file, global. asaxsql

Implement general SQL Injection prevention program in the Global. asax file, global. asaxsql

First, create an SQLInjectionHelper class to check malicious code.

The Code is as follows:

Using System; using System. collections. generic; using System. linq; using System. web; using System. text. regularExpressions; /// <summary> /// summary of SQLInjectionHelper /// </summary> public class SQLInjectionHelper {// <summary> // obtain Post data /// </summary> /// <param name = "request"> </param> /// <returns> </returns> public static bool ValidUrlData (string request) {bool result = false; if (request = "POST") {for (int I = 0; I <HttpContext. current. request. form. count; I ++) {result = ValidData (HttpContext. current. request. form [I]. toString (); if (result) {break ;}} else {for (int I = 0; I <HttpContext. current. request. queryString. count; I ++) {result = ValidData (HttpContext. current. request. queryString [I]. toString (); if (result) {break ;}} return result ;} /// <summary> /// verify whether the injection code exists /// </summary> /// <param name = "inputData"> </param> // <returns> </returns> private static bool ValidData (string inputData) {// verify whether inputData contains a malicious set if (Regex. isMatch (inputData, GetRegexString () {return true;} else {return false ;}} /// <summary> /// obtain the regular expression /// </summary> /// <returns> </returns> private static string GetRegexString () {// construct the SQL Injection key character string [] strChar = {"and", "exec", "insert", "select", "update", "delete ", "count", "from", "drop", "asc", "or", "char", "% ",";",":", "\ '", "\" ","-"," chr "," master "," mid "," truncate "," declare "," char ", "SiteName", "/add", "xp_cmdshell", "net user", "net localgroup administrators", "exec master. dbo. xp_mongoshell "}; string str_Regex = ". * ("; for (int I = 0; I <strChar. length-1; I ++) {str_Regex + = strChar [I] + "|";} str_Regex + = strChar [strChar. length-1] + "). * "; return str_Regex ;}}

　　

If this type is available, you can use the Application_BeginRequest (object sender, EventArgs e) event in Global. asax to obtain the data submitted by form or URL, and then pass it to the SQLInjectionHelper class ValidUrlData method to complete the check.

The Code is as follows:

Protected void Application_BeginRequest (object sender, EventArgs e) {bool result = false; result = SQLInjectionHelper. validUrlData (Request. requestType. toUpper (); if (result) {Response. write ("the data you submit has malicious characters"); Response. end ();}}

　　

The following is a small program test:

Create a page as follows:

<% @ Page Language = "C #" AutoEventWireup = "true" CodeFile = "Default. aspx. cs" Inherits = "_ Default" %> <! DOCTYPE html PUBLIC "-// W3C // dtd xhtml 1.0 Transitional // EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 
　　
 
Add click events separately, as shown below:
protected void btnPost_Click(object sender, EventArgs e)    {     }    protected void btnGet_Click(object sender, EventArgs e)    {        Response.Redirect("Default.aspx?a=1&b=2&c=3");    }
　　
Enter an invalid string in the text box. No matter the post request or get request, it will be intercepted by the anti-SQL injection program.

Figure 1 test the SQL injection program protection page

Figure 2 error message