Home > Developer > ASP

SQL injection attack code detected in asp.net

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Two classes:
(Page data validation class) PageValidate. cs is basically common.
The Code is as follows: Copy codeThe Code is as follows: using System;
Using System. Text;
Using System. Web;
Using System. Web. UI. WebControls;
Using System. Text. RegularExpressions;

Namespace Common
{
/// <Summary>
/// Page data verification
/// </Summary>
Public class PageValidate
{
Private static Regex RegNumber = new Regex ("^ [0-9] + $ ");
Private static Regex RegNumberSign = new Regex ("^ [+-]? [0-9] + $ ");
Private static Regex RegDecimal = new Regex ("^ [0-9] + [.]? [0-9] + $ ");
Private static Regex RegDecimalSign = new Regex ("^ [+-]? [0-9] + [.]? [0-9] + $ "); // equivalent to ^ [+-]? \ D + [.]? \ D + $
Private static Regex RegEmail = new Regex ("^ [\ w-] + @ [\ w-] + \\. (com | net | org | edu | mil | TV | biz | info) $ "); // a string of letters or numbers, the same as the [a-zA-Z0-9] syntax
Private static Regex RegCHZN = new Regex ("[\ u4e00-\ u9fa5]");

Public PageValidate ()
{
}

# Region numeric string check

/// <Summary>
/// Check whether the key value of the Request string is a number and the maximum length is limited.
/// </Summary>
/// <Param name = "req"> Request </param>
/// <Param name = "inputKey"> Request key value </param>
/// <Param name = "maxLen"> maximum length </param>
/// <Returns> returns the Request query string </returns>
Public static string FetchInputDigit (HttpRequest req, string inputKey, int maxLen)
{
String retVal = string. Empty;
If (inputKey! = Null & inputKey! = String. Empty)
{
RetVal = req. QueryString [inputKey];
If (null = retVal)
RetVal = req. Form [inputKey];
If (null! = RetVal)
{
RetVal = SqlText (retVal, maxLen );
If (! IsNumber (retVal ))
RetVal = string. Empty;
}
}
If (retVal = null)
RetVal = string. Empty;
Return retVal;
}
/// <Summary>
/// Whether it is a numeric string
/// </Summary>
/// <Param name = "inputData"> input string </param>
/// <Returns> </returns>
Public static bool IsNumber (string inputData)
{
Match m = RegNumber. Match (inputData );
Return m. Success;
}
/// <Summary>
/// Whether a numeric string can contain positive and negative numbers
/// </Summary>
/// <Param name = "inputData"> input string </param>
/// <Returns> </returns>
Public static bool IsNumberSign (string inputData)
{
Match m = RegNumberSign. Match (inputData );
Return m. Success;
}
/// <Summary>
/// Whether it is a floating point
/// </Summary>
/// <Param name = "inputData"> input string </param>
/// <Returns> </returns>
Public static bool IsDecimal (string inputData)
{
Match m = RegDecimal. Match (inputData );
Return m. Success;
}
/// <Summary>
/// Whether the floating point can contain positive and negative numbers
/// </Summary>
/// <Param name = "inputData"> input string </param>
/// <Returns> </returns>
Public static bool IsDecimalSign (string inputData)
{
Match m = RegDecimalSign. Match (inputData );
Return m. Success;
}

# Endregion

# Region Chinese Detection

/// <Summary>
/// Check for Chinese Characters
/// </Summary>
/// <Param name = "inputData"> </param>
/// <Returns> </returns>
Public static bool IsHasCHZN (string inputData)
{
Match m = RegCHZN. Match (inputData );
Return m. Success;
}

# Endregion

# Region email address
/// <Summary>
/// Whether the floating point can contain positive and negative numbers
/// </Summary>
/// <Param name = "inputData"> input string </param>
/// <Returns> </returns>
Public static bool IsEmail (string inputData)
{
Match m = RegEmail. Match (inputData );
Return m. Success;
}

# Endregion

# Region others

/// <Summary>
/// Check the maximum length of a string and return the string of the specified length
/// </Summary>
/// <Param name = "sqlInput"> input string </param>
/// <Param name = "maxLength"> maximum length </param>
/// <Returns> </returns>
Public static string SqlText (string sqlInput, int maxLength)
{
If (sqlInput! = Null & sqlInput! = String. Empty)
{
SqlInput = sqlInput. Trim ();
If (sqlInput. Length> maxLength) // truncate a string by maximum Length
SqlInput = sqlInput. Substring (0, maxLength );
}
Return sqlInput;
}
/// <Summary>
/// String Encoding
/// </Summary>
/// <Param name = "inputData"> </param>
/// <Returns> </returns>
Public static string HtmlEncode (string inputData)
{
Return HttpUtility. HtmlEncode (inputData );
}
/// <Summary>
/// Set the Label to display the Encode string
/// </Summary>
/// <Param name = "lbl"> </param>
/// <Param name = "txtInput"> </param>
Public static void SetLabel (Label lbl, string txtInput)
{
Lbl. Text = HtmlEncode (txtInput );
}
Public static void SetLabel (Label lbl, object inputObj)
{
SetLabel (lbl, inputObj. ToString ());
}
// String cleanup
Public static string InputText (string inputString, int maxLength)
{
StringBuilder retVal = new StringBuilder ();

// Check whether it is empty
If (inputString! = Null) & (inputString! = String. Empty ))
{
InputString = inputString. Trim ();

// Check the length
If (inputString. Length> maxLength)
InputString = inputString. Substring (0, maxLength );

// Replace dangerous characters
For (int I = 0; I <inputString. Length; I ++)
{
Switch (inputString [I])
{
Case '"':
RetVal. Append (""");
Break;
Case '<':
RetVal. Append ("<");
Break;
Case '> ':
RetVal. Append ("> ");
Break;
Default:
RetVal. Append (inputString [I]);
Break;
}
}
RetVal. Replace ("'", ""); // Replace single quotes
}
Return retVal. ToString ();

}
/// <Summary>
/// Convert to HTML code
/// </Summary>
/// <Param name = "str"> string </param>
/// <Returns> string </returns>
Public static string Encode (string str)
{
Str = str. Replace ("&","&");
Str = str. Replace ("'","''");
Str = str. Replace ("\"",""");
Str = str. Replace ("","");
Str = str. Replace ("<", "<");
Str = str. Replace (">", "> ");
Str = str. Replace ("\ n", "<br> ");
Return str;
}
/// <Summary>
/// Parse html into plain text
/// </Summary>
/// <Param name = "str"> string </param>
/// <Returns> string </returns>
Public static string Decode (string str)
{
Str = str. Replace ("<br>", "\ n ");
Str = str. Replace (">", "> ");
Str = str. Replace ("<", "<");
Str = str. Replace ("","");
Str = str. Replace (""","\"");
Return str;
}

# Endregion

}
}

Save the universal file (Global. asax) as the Global. asax file name and put it under the root Trojan of the website. (Add other functions as required)Copy codeThe Code is as follows: <script language = "C #" runat = "server"> <! --
Protected void Application_BeginRequest (Object sender, EventArgs e)
{
StartProcessRequest ();
}

/// <Summary>
/// Process user-submitted requests
/// </Summary>
Private void StartProcessRequest ()
{
Try
{
String getkeys = "";

If (System. Web. HttpContext. Current. Request. QueryString! = Null)
{

For (int I = 0; I <System. Web. HttpContext. Current. Request. QueryString. Count; I ++)
{
Getkeys = System. Web. HttpContext. Current. Request. QueryString. Keys [I];
If (! ProcessSqlStr (System. Web. HttpContext. Current. Request. QueryString [getkeys])
{
System. Web. HttpContext. Current. Response. Write ("Get, error, contains invalid string ");
System. Web. HttpContext. Current. Response. End ();
}
}
}
If (System. Web. HttpContext. Current. Request. Form! = Null)
{
For (int I = 0; I <System. Web. HttpContext. Current. Request. Form. Count; I ++)
{
Getkeys = System. Web. HttpContext. Current. Request. Form. Keys [I];
If (getkeys = "_ VIEWSTATE") continue;
If (! ProcessSqlStr (System. Web. HttpContext. Current. Request. Form [getkeys])
{
System. Web. HttpContext. Current. Response. Write ("Post, error, contains invalid string ");
System. Web. HttpContext. Current. Response. End ();
}
}
}
If (System. Web. HttpContext. Current. Request. Cookies! = Null)
{
For (int I = 0; I <System. Web. HttpContext. Current. Request. Cookies. Count; I ++)
{
Getkeys = System. Web. HttpContext. Current. Request. Cookies. Keys [I];
If (getkeys = "_ VIEWSTATE") continue;
If (! ProcessSqlStr (System. Web. HttpContext. Current. Request. Cookies [getkeys]. Value ))
{
System. Web. HttpContext. Current. Response. Write ("Cookies, error, contains illegal string ");
System. Web. HttpContext. Current. Response. End ();
}
}
}

}
Catch
{
// Error handling: process user submitted information!
}
}
/// <Summary>
/// Analyze whether the user request is normal
/// </Summary>
/// <Param name = "Str"> input user to submit data </param>
/// <Returns> whether SQL injection attack code is returned </returns>
Private bool ProcessSqlStr (string Str)
{
Bool ReturnValue = true;
Try
{
If (Str. Trim ()! = "")
{
String SqlStr = "select distinct insert into delete multiple update statements declare into sysobjects into syscolumns multicast cast into truncate into master segment mid segment exec ";

String [] anySqlStr = SqlStr. Split ('hangzhou ');
Foreach (string ss in anySqlStr)
{
If (Str. ToLower (). IndexOf (ss)> = 0)
{
ReturnValue = false;
Break;
}
}
}
}
Catch
{
ReturnValue = false;
}
Return ReturnValue;
}

// --> </Script>

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More