Implementing a generic SQL Injection vulnerability program (adapted to Post/get requests) in Global.asax files-practical tips

First, create a Sqlinjectionhelper class to complete the malicious code check
The code is as follows：

Copy Code code as follows:

Using System;
Using System.Collections.Generic;
Using System.Linq;
Using System.Web;
Using System.Text.RegularExpressions;
<summary>
Summary description of Sqlinjectionhelper
</summary>
public class Sqlinjectionhelper
{
<summary>
Get the data for the post
</summary>
<param name= "Request" ></param>
<returns></returns>
public static bool Validurldata (string request)
{
BOOL result = FALSE;
if (Request = = "POST")
{
for (int i = 0; i < HttpContext.Current.Request.Form.Count; i++)
{
result = ValidData (Httpcontext.current.request.form[i]. ToString ());
if (result)
{
Break
}
}
}
Else
{
for (int i = 0; i < HttpContext.Current.Request.QueryString.Count; i++)
{
result = ValidData (Httpcontext.current.request.querystring[i]. ToString ());
if (result)
{
Break
}
}
}
return result;
}
<summary>
Verify that there is an injection code
</summary>
<param name= "Inputdata" ></param>
<returns></returns>
private static bool ValidData (string inputdata)
{
Verify that the inputdata contains a malicious collection
if (Regex.IsMatch (Inputdata, getregexstring ()))
{
return true;
}
Else
{
return false;
}
}
<summary>
Gets the regular expression
</summary>
<returns></returns>
private static string getregexstring ()
{
Constructing injected key characters for SQL
String[] Strchar = {"and", "exec", "Insert", "select", "Update", "delete", "Count", "from", "Drop", "ASC", "or", "char", "%", ";", ":", "\", "\" ","-"," CHR "," Master "," mid "," truncate "," declare "," char "," SiteName ","/add "," xp_cmdshell ", "NET user", "net localgroup Administrators", "Exec Master.dbo.xp_cmdshell"};
String Str_regex = ". * (";
for (int i = 0; i < strchar.length-1; i++)
{
Str_regex + = Strchar[i] + "|";
}
Str_regex + = Strchar[strchar.length-1] + "). *";
return Str_regex;
}
}

Once you have this class, you can use the Application_BeginRequest (object sender, EventArgs e) event in Global.asax to obtain the form or URL submission data. Get passed to Sqlinjectionhelper class Validurldata method to complete the check
The code is as follows

Copy Code code as follows:

protected void Application_BeginRequest (object sender, EventArgs e)
{
BOOL result = FALSE;
result = Sqlinjectionhelper.validurldata (Request.RequestType.ToUpper ());
if (result)
{
Response.Write ("The data you submitted has malicious characters");
Response.End ();
}
}

Here's a little program to test：
Create a page, as follows

Copy Code code as follows:

<%@ Page language= "C #" autoeventwireup= "true" codefile= "Default.aspx.cs" inherits= "_default"%>
<! DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 transitional//en" "Http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd ">
<title></title>
<body>
<form id= "Form1" runat= "Server" >
<div>
<asp:textbox id= "TextBox1" runat= "Server" ></asp:TextBox>
<br/>
<asp:button id= "Btnpost" runat= "server" text= "get Post Data"
onclick= "Btnpost_click"/>
</div>
<asp:button id= "Btnget" runat= "server" text= "Fetch get Data" onclick= "Btnget_click"/>
</form>
</body>

Add the Click event Separately, as follows

Copy Code code as follows:

protected void Btnpost_click (object sender, EventArgs e)
{
}
protected void Btnget_click (object sender, EventArgs e)
{
Response.Redirect ("default.aspx?a=1&b=2&c=3");
}

Enter an illegal string in the text box, which is intercepted by the anti-SQL injection program regardless of the POST request or GET request

Figure 1 The page to test the anti-SQL injection program

Figure 2 Error message