SQL Injection prevention and write security code in ASP. NET

Analysis of the principles of SQL injection attacks it is not difficult to know whether to verify the effectiveness of such attacks is not taken into account during website preparation. It also shows that the use of stored procedures has a good effect in preventing such attacks, generally, it converts the type of input parameters. These parameters can only be field values and are not considered part of the SQL statement. Of course, some websites do not take such preventive measures into consideration during the development process. It takes a lot of work to change the code. There are many methods on the Internet. I have sorted out these methods and the test results are good, for reference, the original source is not indicated here.
This method filters user input data in the global application application_beginrequest method, and filters SQL sensitive words that should not appear in the address bar.
1. If no global class exists in the aps.net project, a new global application class is created;
2. Add the following method to this class. sqlstr is the SQL keyword to be blocked. You can change the content as needed.
Private bool processsqlstr (string Str) <br/>{< br/> bool returnvalue = true; <br/> try <br/>{< br/> If (STR! = "") <Br/>{< br/> string sqlstr = "select * | and '| or' | insertinto | deletefrom | altertable | update | createtable | createview | dropview | createindex | dropindex | createprocedure | dropprocedure | createtrigger | droptrigger | createschema | dropschema | createdomain | alterdomain | dropdomain | ); | select @ | declare @ | print @ | char (| select "; <br/> string [] anysqlstr = sqlstr. split ('|'); <br/> foreach (string SS in anysqlstr) <br/>{< br/> If (Str. indexof (SS)> = 0) <br/>{< br/> returnvalue = false; <br/>}< br/> catch <br/>{< br/> returnvalue = false; <br/>}< br/> return returnvalue; <br/>}< br/>

3. Add the application_beginrequest method to the application class as follows:
Protected void application_beginrequest (Object sender, eventargs e) <br/>{< br/> /// traverse the post parameter, except hidden fields <br/> // foreach (string I in this. request. form) <br/> // {<br/> // if (I = "_ viewstate") continue; <br/> // This. goerr (this. request. form [I]. tostring (); <br/>/}< br/> /// traverse the get parameter. <Br/> // foreach (string I in this. request. querystring) <br/> // {<br/> // This. goerr (this. request. querystring [I]. tostring (); <br/> //} <br/> try <br/>{< br/> string getkeys = ""; <br/> string sqlerrorpage = system. configuration. configurationsettings. appsettings ["customerrorpage"]. tostring (); <br/> If (system. web. httpcontext. current. request. querystring! = NULL) <br/>{</P> <p> for (INT I = 0; I <system. web. httpcontext. current. request. querystring. count; I ++) <br/>{< br/> getkeys = system. web. httpcontext. current. request. querystring. keys [I]; <br/> If (! Processsqlstr (system. web. httpcontext. current. request. querystring [getkeys]) <br/>{< br/> system. web. httpcontext. current. response. redirect (sqlerrorpage + "? Errmsg = sqlserver & sqlprocess = true "); <br/> system. web. httpcontext. current. response. end (); <br/>}< br/> If (system. web. httpcontext. current. request. form! = NULL) <br/>{< br/> for (INT I = 0; I <system. web. httpcontext. current. request. form. count; I ++) <br/>{< br/> getkeys = system. web. httpcontext. current. request. form. keys [I]; <br/> If (! Processsqlstr (system. web. httpcontext. current. request. form [getkeys]) <br/>{< br/> system. web. httpcontext. current. response. redirect (sqlerrorpage + "? Errmsg = sqlserver & sqlprocess = true "); <br/> system. web. httpcontext. current. response. end (); <br/>}< br/> catch <br/>{< br/> // handle the error: process user submitted information! <Br/>}< br/>

Set up an error alert page to redirect the suspicious input to the error page, such as errorpage.html
Add the parameter to <etettings> added to Web. config.
<Add key = "customerrorpage" value = "../errorpage.html"/>
5. The key is to write secure code and use the Stored Procedure properly.