Prevent SQL Injection attack SQL injection Learning--three-tier architecture

Solutions are:
1, first in the UI input, to control the type and length of data, to prevent SQL injection attacks, the system provides detection of injected attack function, once detected an injection attack, the data can not be submitted;
2, the Business Logic layer control, by the method inside the SQL keyword with a certain way to shield off, and then check the length of the data, to ensure that SQL database injection code is not injected when committing, but after such processing, the UI output is required to restore the masked characters. Therefore, the system provides functions for masking characters and for restoring characters.
3, in the data access layer, the vast majority of the use of stored procedures to access data, call to stored procedure parameters to access, it will also be good to prevent injection attacks.

3/**////
4/// Determine if there is a SQL attack code in the string
5 //
6/// Incoming user submission data
7/// true-security; false-has injection attack existing;
8 public bool Processsqlstr (string inputstring)
9 {
Ten string sqlstr = @ "and|or|exec|execute|insert|select|delete|update|alter|create|drop|count|\*|chr|char|asc|mid| Substring|master|truncate|declare|xp_cmdshell|restore|backup|net +user|net +localgroup +administrators ";
One-try
12 {
if (inputstring! = null) && (inputstring! = String.Empty))
14 {
String Str_regex = @ "\b (" + sqlstr + @ ") \b";
16
The regex regex = new Regex (Str_regex, regexoptions.ignorecase);
//string s = Regex.match (inputstring). Value;
if (true = = Regex.IsMatch (inputstring))
return false;
21st
22}
23}
Catch
25 {
return false;
27}
return true;
29}
30
31
/**////
33/// processing user-submitted requests, verifying SQL injection attacks, running on the page appliance
/// system.configuration.configurationsettings.appsettings["ErrorPage"]. ToString (); For the user to customize the error page prompt address,
35/// Add a errorpage to the Web. config file
//
Panax Notoginseng //
//
ProcessRequest public void ()
40 {
Try
42 {
Getkeys string = "";
Sqlerrorpage string = system.configuration.configurationsettings.appsettings["ErrorPage"]. ToString ();
if (System.Web.HttpContext.Current.Request.QueryString! = null)
46 {
47
(int i = 0; i < System.Web.HttpContext.Current.Request.QueryString.Count; i++)
49 {
Getkeys = System.web.httpcontext.current.request.querystring.keys[i];
Wuyi if (! Processsqlstr (System.web.httpcontext.current.request.querystring[getkeys]))
52 {
System.Web.HttpContext.Current.Response.Redirect (Sqlerrorpage + "? errmsg=" + Getkeys + "There is a suspected SQL attack!" ");
System.Web.HttpContext.Current.Response.End ();
55}
56}
57}
if (System.Web.HttpContext.Current.Request.Form! = null)
59 {
(int i = 0; i < System.Web.HttpContext.Current.Request.Form.Count; i++)
61 {
Getkeys = System.web.httpcontext.current.request.form.keys[i];
if (! Processsqlstr (System.web.httpcontext.current.request.form[getkeys]))
64 {
System.Web.HttpContext.Current.Response.Redirect (Sqlerrorpage + "? errmsg=" + Getkeys + "There is a suspected SQL attack!" ");
System.Web.HttpContext.Current.Response.End ();
67}
68}
69}
70}
# catch
72 {
73//Error Handling: Processing user submission information!
74}
75}
#endregion
77
78
79
80
81 Converting SQL code (also prevents SQL injection attacks, which can be used in the business logic layer, but requires decoding when the UI layer enters data) #region Convert SQL code (also prevents SQL injection attacks, which can be used in the business logic layer, but requires decoding when the UI layer enters data)
/**////
83/// extract character fixed length
//
//
//
//
Checkstringlength public String (string inputstring, Int32 maxLength)
89 {
(inputstring! = null) && (inputstring! = String.Empty))
91 {
InputString = Inputstring.trim ();
93
94 if (Inputstring.length > MaxLength)
inputstring = inputstring.substring (0, maxLength);
96}
InputString return;
98}
99
/**////
101/// replace the SQL-sensitive word in the input string with "[Sensitive word]", and require the output to be replaced
102 //
103 //
104 //
Myencodeinputstring public String (string inputstring)
106 {
107//The sensitive word to be replaced
108 String sqlstr = @ "and|or|exec|execute|insert|select|delete|update|alter|create|drop|count|\*|chr|char|asc|mid| Substring|master|truncate|declare|xp_cmdshell|restore|backup|net +user|net +localgroup +administrators ";
109 Try
110 {
111 if ((inputstring! = null) && (inputstring! = String.Empty))
112 {
113 String Str_regex = @ "\b (" + sqlstr + @ ") \b";
114
The regex regex = new Regex (Str_regex, regexoptions.ignorecase);
//string s = Regex.match (inputstring). Value;
117 MatchCollection matches = regex.matches (inputstring);
118 for (int i = 0; i < matches. Count; i++)
119 inputstring = Inputstring.replace (Matches[i]. Value, "[" + matches[i]. Value + "]");
120
121}
122}
123 catch
124 {
Return "";
126}
127 return inputstring;
128
129}
130
131/**////
132///The "[sensitive word]", converted back to "sensitive word "
133 //
134 //
135 //
136 public String Mydecodeoutputstring (string outputstring)
137 {
138//The sensitive word to be replaced
139 String sqlstr = @ "and|or|exec|execute|insert|select|delete|update|alter|create|drop|count|\*|chr|char|asc|mid| Substring|master|truncate|declare|xp_cmdshell|restore|backup|net +user|net +localgroup +administrators ";
Try
141 {
142 if ((outputstring! = null) && (outputstring! = String.Empty))
143 {
144 string Str_regex = @ "\[\b (" + sqlstr + @ ") \b\]";
145 Regex regex = new Regex (Str_regex, regexoptions.ignorecase);
146 MatchCollection matches = regex.matches (outputstring);
147 for (int i = 0; i < matches. Count; i++)
148 outputstring = outputstring. Replace (Matches[i]. Value, Matches[i]. Value.substring (1, matches[i]. value.length-2));
149
150}
151}
Catch
153 {
154 return "";
155}
156 return outputstring;
157}
158 #endregion

Prevent SQL Injection attack SQL injection Learning--three-tier architecture