First, create an sqlinjectionhelper class to check malicious code.
The Code is as follows:
Using system;
Using system. Collections. Generic;
Using system. LINQ;
Using system. Web;
Using system. Text. regularexpressions;
/// <Summary>
/// Summary of sqlinjectionhelper
/// </Summary>
Public class sqlinjectionhelper
{
/// <Summary>
/// Obtain post data
/// </Summary>
/// <Param name = "request"> </param>
/// <Returns> </returns>
Public static bool validurldata (string request)
{
Bool result = false;
If (request = "Post ")
{
For (INT I = 0; I
{
Result = validdata (httpcontext. Current. Request. Form [I]. tostring ());
If (result)
{
Break;
}
}
}
Else
{
For (INT I = 0; I
{
Result = validdata (httpcontext. Current. Request. querystring [I]. tostring ());
If (result)
{
Break;
}
}
}
Return result;
}
/// <Summary>
/// Verify whether the injection code exists
/// </Summary>
/// <Param name = "inputdata"> </param>
/// <Returns> </returns>
Private Static bool validdata (string inputdata)
{
// Verify whether inputdata contains a malicious set
If (RegEx. ismatch (inputdata, getregexstring ()))
{
Return true;
}
Else
{
Return false;
}
}
/// <Summary>
/// Obtain the Regular Expression
/// </Summary>
/// <Returns> </returns>
Private Static string getregexstring ()
{
// Construct key characters for SQL Injection
String [] strchar = {"and", "EXEC", "insert", "select", "Update", "delete", "Count", "from ", "Drop", "ASC", "or", "char", "% ",";",":","\'","\"", "-", "CHR", "Master", "mid", "truncate", "declare", "char", "sitename", "/Add ", "xp_cmdshell", "Net user", "net localgroup Administrators", "Exec master. DBO. xp_cmdshell "};
String str_regex = ".*(";
For (INT I = 0; I <strchar. Length-1; I ++)
{
Str_regex + = strchar [I] + "| ";
}
Str_regex + = strchar [strchar. Length-1] + ").*";
Return str_regex;
}
}
If this type is available, you can use the application_beginrequest (Object sender, eventargs e) event in global. asax to obtain the data submitted by form or URL, and then pass it to the sqlinjectionhelper class validurldata method to complete the check.
The Code is as follows:
Protected void application_beginrequest (Object sender, eventargs E)
{
Bool result = false;
Result = sqlinjectionhelper. validurldata (request. requesttype. toupper ());
If (result)
{
Response. Write ("the data you submit has malicious characters ");
Response. End ();
}
}
The following is a small program test:
Create a page as follows:
<% @ Page Language = "C #" autoeventwireup = "true" codefile = "default. aspx. cs" inherits = "_ default" %>
<! Doctype HTML public "-// W3C // dtd xhtml 1.0 transitional // en" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<HTML xmlns = "http://www.w3.org/1999/xhtml">
<Head runat = "server">
<Title> </title>
</Head>
<Body>
<Form ID = "form1" runat = "server">
<Div>
<Asp: textbox id = "textbox1" runat = "server"> </ASP: textbox>
<Br/>
<Asp: button id = "btnpost" runat = "server" text = "get post data"
Onclick = "btnpost_click"/>
</Div>
<Asp: button id = "btnget" runat = "server" text = "get data" onclick = "btnget_click"/>
</Form>
</Body>
</Html>
Add click events separately, as shown below:
Protected void btnpost_click (Object sender, eventargs E)
{
}
Protected void btnget_click (Object sender, eventargs E)
{
Response. Redirect ("default. aspx? A = 1 & B = 2 & C = 3 ");
}
Enter an invalid string in the text box. No matter the POST request or GET request, it will be intercepted by the anti-SQL injection program.
Figure 1 test the SQL injection program protection page
Figure 2 error message