Prevent SQL injection attacks

For example:
If your query statement is select * from Admin where username = "& user &" and Password = "& PWD &""
Then, if my user name is: 1 or 1 = 1
Then, your query statement will become:
Select * from Admin where username = 1 or 1 = 1 and Password = "& PWD &""
In this way, your query statements are passed and you can access your management interface.
Therefore, you need to check user input for defense purposes. Special characters, such as single quotes, double quotation marks, semicolons, commas, colons, and connection numbers, are converted or filtered.
Special characters and strings to be filtered include:
Net user
Xp_mongoshell
/Add
Exec master. DBO. xp_mongoshell
Net localgroup Administrators
Select
Count
ASC
Char
Mid

:
"
Insert
Delete from
Drop table
Update
Truncate
From
%
The following describes how to prevent injection attacks. Code For your reference!
Code for preventing SQL injection attacks in JS:

<Script language = "JavaScript">
<! --
VaR url = location. search;
VaR Re =/^ \? (. *) (Select % 20 | insert % 20 | Delete % 20 from % 20 | count \ (| drop % 20table | update % 20 truncate % 20 | ASC \ (| mid \ (| char \ (| xp_mongoshell | exec % 20master | net % 20 localgroup % 20administrators | \ "|: | net % 20user | \ | % 20or % 20 )(. *) $/GI;
VaR E = Re. Test (URL );
If (e ){
Alert ("the address contains invalid characters ~ ");
Location. href = "error. asp ";
}
// -->
<SCRIPT>
Code for ASP to prevent SQL injection attacks ~ :
[Code start]
<%
On Error resume next
Dim strtemp
If lcase (request. servervariables ("HTTPS") = "off" then
Strtemp = "http ://"
Else
Strtemp = "https ://"
End if
Strtemp = strtemp & request. servervariables ("SERVER_NAME ")
If request. servervariables ("server_port") <> 80 then strtemp = strtemp & ":" & request. servervariables ("server_port ")
Strtemp = strtemp & request. servervariables ("url ")
If trim (request. querystring) <> "then strtemp = strtemp &"? "& Trim (request. querystring)
Strtemp = lcase (strtemp)
If instr (strtemp, "select % 20") or instr (strtemp, "insert % 20") or instr (strtemp, "Delete % 20 from") or instr (strtemp, "Count (") or instr (strtemp, "Drop % 20 table") or instr (strtemp, "Update % 20") or instr (strtemp, "truncate % 20 ") or instr (strtemp, "ASC (") or instr (strtemp, "mid (") or instr (strtemp, "char (") or instr (strtemp, "xp_{shell ") or instr (strtemp, "Exec % 20 master") or instr (strtemp, "net % 20 localgroup % 20 administrators") or instr (strtemp ,":") or instr (strtemp, "net % 20 user") or instr (strtemp, "") or instr (strtemp, "% 20or % 20") then
Response. Write "<script language = JavaScript>"
Response. Write "alert (Invalid Address !!); "
Response. Write "location. href = Error. asp ;"
Response. Write "<SCRIPT>"
End if
%>
[Code end]
C # Check strings to prevent SQL injection attacks
This example is tentatively set to = and No.
Bool checkparams (Params object [] ARGs)
{
String [] lawlesses = {"= ",""};
If (lawlesses = NULL | lawlesses. Length <= 0) return true;
// Construct a regular expression. For example, if lawlesses is a = sign and a number, the regular expression is. * [=}]. * (for details about the regular expression, see msdn)
// In addition, because I want to make a general and easy-to-Modify function, I have added a step from a character array to a regular expression. In actual use, I can directly write a regular expression;
String str_regex = ".*[";
For (INT I = 0; I <lawlesses. Length-1; I ++)
Str_regex + = lawlesses [I] + "| ";
Str_regex + = lawlesses [lawlesses. Length-1] + "]. *";
//
Foreach (Object ARG in ARGs)
{
If (Arg is string) // if it is a string, directly check
{
If (RegEx. Matches (Arg. tostring (), str_regex). Count> 0)
Return false;
}
Else if (Arg is icollection) // if it is a set, check whether the element in the set is a string or not.
{
Foreach (Object OBJ in (icollection) Arg)
{
If (obj is string)
{
If (RegEx. Matches (obj. tostring (), str_regex). Count> 0)
Return false;
}
}
}
}
Return true;
Add:
Use HTML. encode to prevent javascript injection attacks