Prevent SQL injection

An example of horror:

Detailed explanation of injected attacks SQL below we will take a simple user login as an example, combined with code to explain in detail the SQL injection attack, and his precautions. For a simple user login The possible code is as follows:
Try
{
string strusername = This.txtUserName.Text;
string strpwd = This.txtPwd.Text;
String strSQL = "SELECT * from UserInfo where username= '" + strUserName + "' and password= '" + strpwd + "'";
SqlConnection OBJdbConn = new SqlConnection ("Database connection string");
SqlDataAdapter objadapter = new SqlDataAdapter (Strsql,objdbconn);
DataSet objdataset = null;
Objadapter.fill (objdataset);//todo to judge the data obtained.
}
catch (System.Exception e)
{
This.lblMsg.Text = E.message;
This.lblMsg.Visible = true;
}
In the above code, if the user's input is a normal user name and password, then the execution will be more normal, but, if you enter the user name, the input is "Johny"-"then the statement executed in SQL Server will be" select * FROM UserInfo where username= ' Johny '--' and password= ' password ', as long as the database exists Johny This user, then no matter what the password is, the statement can be executed successfully, and can successfully pass the login. And even more, we know that there are some system stored procedures in SQL Server that can execute many commands of the operating system, such as xp_cmdshell, if the user name part of the login is "Johny ' exec xp_cmdshell ' Format d:/s '--"and let's think about what the consequences are? Malicious users, as long as the ' format d:/s ' This command slightly modified to do a lot of illegal things.

. NET anti-SQL injection method

1, the method of using SqlCommand to transmit parameters:

stringstrSQL="SELECT * FROM [user] WHERE [email protected]";SqlCommand cmd = newSqlCommand();cmd.CommandText = strSQL;cmd.Parameters.Add("@id",SqlDbType.VarChar,20).Value=Request["id"].ToString();

　　

2, Filter prohibited operation method:

/// <summary>/// 过滤SQL语句,防止注入/// </summary>/// <param name="strSql"></param>/// <returns>0 - 没有注入, 1 - 有注入 </returns>publicintfilterSql(stringsSql){     intsrcLen, decLen = 0;    sSql = sSql.ToLower().Trim();    srcLen = sSql.Length;    sSql = sSql.Replace("exec", "");    sSql = sSql.Replace("delete", "");    sSql = sSql.Replace("master", "");    sSql = sSql.Replace("truncate", "");    sSql = sSql.Replace("declare", "");    sSql = sSql.Replace("create", "");    sSql = sSql.Replace("xp_", "no");    decLen = sSql.Length;    if (srcLen == decLen) return0; elsereturn1;         }

3, stored procedures

JS version of the protection against SQL injection attack code:

<script language="javascript"><!--var url = location.search;varre=/^\?(.*)(select%20|insert%20|delete%20from%20|count\(|drop%20table|update%20truncate%20|asc\(|mid\(|char\(|xp_cmdshell|exec%20master|net%20localgroup%20administrators|\"|:|net%20user|\|%20or%20)(.*)$/gi;var e = re.test(url);if(e) {    alert("地址中含有非法字符～");    location.href="error.asp";}//--><script>

Http://www.cnblogs.com/xiepeixing/archive/2012/11/13/2767733.html

Prevent SQL injection