Code
1 First, I will check the server configuration and reconfigure the server security. For more information, see
HTTP: // Hi.baidu.com/zzxap/blog/item/1818108ff921516738b6564.html
2 Second, use coffee custom policies, even if the websiteProgramVulnerabilities make it difficult for others to write data to files.Code.
Refer to the custom policy. With this policy, you cannot write my files even if the program crashes.
HTTP: // Hi.baidu.com/zzxap/blog/item/efe093a7e0f2c417d04358ef.html
3 . You can use the network super patrol to delete the injected JS Code.
Reference
HTTP: // Blog.csdn.net/zzxap/archive/2010/04/07/5459065.aspx
4 . How do I batch Delete the injected code in the database?
Run this code in the database query analyzer.
SQL code
Declare @ fieldtype sysname
Set @ fieldtype = ' Varchar '
-- Delete
Declare hcforeach cursor global
For
Select n ' Update ' + Quotename (O. Name)
+ N ' Set ' + Quotename (C. Name) + N ' = Replace ( ' + Quotename (C. Name) + ' , '' <Script_src = http://ucmal.com/0.js> </SCRIPT> '' , '''' ) '
From sysobjects o, syscolumns C, policypes t
Where o. ID = C. ID
And objectproperty (O. ID, n ' Isusertable ' ) = 1
And C. xusertype = T. xusertype
And T. Name = @ Fieldtype
Exec sp_msforeach_worker @ command1 = N ' ? '
5. Create a trigger, as long as there is</Script>Insert is not performed, which may affect the performance.
SQL code
Create trigger tr_table_insertupdate
On tablename
For Insert, update
As
If Exists (
Select 1 From inserted
Where Data like ' % </SCRIPT> % '
)
Begin
Raiserror ( ' Cannot be modified or added ' , 16 , 1 );
Rollback transaction
End
Go
6The most important thing is program writing, using parameterized SQL or stored procedures.
For example
C # code
Protected Void Cmdok_click ( Object Sender, eventargs E)
{
// Add information
Stringbuilder SQL = New Stringbuilder ( " Insert into m_phone (PID, phonename, num, price, phonetype, onselltime, color, weight, video, camera, phonesize, phonesystem, memorysize, phonedesc, standbytime, screensize, frequency, inputmethod, soundrecord, GPS, FM, MP3, email, infrared, game, clock, calendar, calculator, and Bluetooth) " );
SQL. append ("Values (@ PID, @ textphonename, @ textnum, @ textprice, @ dropphonetype2, @ textonselltime, @ textcolor, @ textweight");
.................
Sqlparameter [] paras = { New Sqlparameter ( " @ PID " , Sqldbtype. Int, 4 ),
New Sqlparameter ( " @ Textphonename " , Sqldbtype. nvarchar, 50 ),
New Sqlparameter ( " @ Textnum " , Sqldbtype. Int, 4 ),
New Sqlparameter ( " @ Textprice " , Sqldbtype. Int, 4 ),
New Sqlparameter ( " @ Dropphonetype2 " , Sqldbtype. varchar, 20 ),
New Sqlparameter ( " @ Textonselltime " , Sqldbtype. datetime, 8 ),
New Sqlparameter ( " @ Textcolor " , Sqldbtype. varchar, 20 ),
New Sqlparameter ( " @ Textweight " , Sqldbtype. nvarchar, 50 ),
...........
};
String[] Stra={Dropphonetype. selectedvalue, textphonename. Text, textnum. Text, textprice. Text, dropphonetype2.selectedvalue, textonselltime. Text, textcolor. Text, textweight. Text,
.............};
Int A = Stra. length;
Int J;
For (J = 0 ; J < A; j ++ )
{
Paras [J]. Value = Stra [J];
}
Int Strpid = 0 ;
String Sqla = SQL. tostring ();
Try
{
Sqlhelper. excutenonqurey (sqla, commandtype. Text, paras ); // Execute add data
Strpid = Convert. toint32 (sqlhelper. excutesclare (sqla, commandtype. Text, paras )); // Get the ID number just inserted
}
Catch(Sqlexception ex)
{
Cmdreturn. Text=Ex. Message. tostring ();
}
Cmdreturn. Text=Strpid. tostring ();
.........
7Parameters passed through the URL must be encrypted and decrypted.
C # code
Transmission
StringSztmp= "Safdsfdsafdsfytrsd";
Sztmp=Server. urlencode (sztmp );
Receive
String stra=Server. urldecode (request. querystring (sztmp ));
8. Process the parameters to be used in single quotes and place them in SQL.
For exampleStringStra=AA. Replace ("'","''")
You can use parameterized SQL statements without processing single quotes.
Specify the parameter type and filter out single quotes to eliminate 99.9%Intruded
In addition, those programs on the Internet that are regarded as Bible filters for keyword such as update insert are of little use. upupdatedate filters out update or update.
It also causes unnecessary trouble.