Implementing a universal Anti-SQL Injection Vulnerability program in the Global.asax file

First, create a Sqlinjectionhelper class to complete the inspection of malicious code

The code is as follows:

Using system;using system.collections.generic;using system.linq;using system.web;using System.Text.RegularExpressions; <summary>///sqlinjectionhelper Summary description//</summary>public class sqlinjectionhelper{///<summary >///Get Post Data//</summary>//<param name= "Request" ></param>//<returns><        /returns> public static bool Validurldata (string request) {bool result = false;            if (Request = = "POST") {for (int i = 0; i < HttpContext.Current.Request.Form.Count; i++) {result = ValidData (Httpcontext.current.request.form[i].                ToString ());                if (result) {break; }}} else {for (int i = 0; i < HttpContext.Current.Request.QueryString.Cou nt i++) {result = ValidData (Httpcontext.current.request.querystring[i].             ToString ());   if (result) {break;    }}} return result;    }///<summary>//Verify that there is an injected code///</summary>//<param name= "Inputdata" ></param>        <returns></returns> private static bool ValidData (string inputdata) {//Verify Inputdata contains a malicious collection        if (Regex.IsMatch (Inputdata, getregexstring ())) {return true;        } else {return false; }}///<summary>//Get regular expressions///</summary>//<returns></returns> Private St Atic string getregexstring () {//constructs SQL injection key character string[] Strchar = {"and", "exec", "Insert", "select", "Up Date "," delete "," Count "," from "," Drop "," ASC "," or "," char ","% ","; ",": "," \ "," \ "", "-", "CHR", "Master", "Mid", "tr Uncate "," declare "," char "," SiteName ","/add "," xp_cmdshell "," Net user "," net localgroup Administrators "," exec mastEr.dbo.xp_cmdshell "};        String Str_regex = ". * (";        for (int i = 0; i < strchar.length-1; i++) {Str_regex + = Strchar[i] + "|";        } Str_regex + = Strchar[strchar.length-1] + "). *";    return Str_regex; }}

　　

With this class, you can use the Application_BeginRequest (object sender, EventArgs e) event in Global.asax to implement the acquisition of the form or URL submission data. Get passed to Sqlinjectionhelper class Validurldata method to complete the check

The code is as follows

protected void Application_BeginRequest (object sender, EventArgs e)    {        bool result = false;        result = Sqlinjectionhelper.validurldata (Request.RequestType.ToUpper ());        if (result)        {            Response.Write ("The data you submitted has malicious characters");            Response.End ();        }    }

　　

Here is a small program to test:

Create a page, as follows

<%@ page language= "C #" autoeventwireup= "true" codefile= "Default.aspx.cs" inherits= "_default"%> <! DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 transitional//en" "Http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd "> 
　　
Add the Click events separately, as follows
protected void Btnpost_click (object sender, EventArgs e)    {     }    protected void Btnget_click (object sender, EventArgs e)    {        Response.Redirect ("default.aspx?a=1&b=2&c=3");    }
　　
Entering an illegal string in a text box, whether a POST request or a GET request, is intercepted by the anti-SQL injection program
Figure 1 page that tests the anti-SQL injection program
Figure 2 Error message
Implementing a universal Anti-SQL Injection Vulnerability program in the Global.asax file