Summary of web site SQL injection and defense

Recently, our website encountered the problem of SQL injection, which may be caused by a large number of people who are interested in the website, or some people who are in disorder. The database is always injected with malicious code, which makes people do not know how to solve the problem at a time, search for SQL injection from the Internet. That data can be called too much, so it is resistant to sub-reading (no way to read it). However, most of the methods for filtering malicious strings are as follows:

1. filter malicious strings

String xh_in, xh_in2;
// Customize the string to be filtered, separated by "|"
Xh_in = "'|; | and | exec | insert | select | Delete % 20from | update | count | * | % | CHR | mid | master | truncate | char | declare | drop % 20table | from | net % 20user | xp_mongoshell |/Add | net % 20 localgroup % 20administrators | ASC | char ";
Xh_in2 = "'|; | and | exec | insert | select | Delete % 20from | update | count | CHR | mid | master | truncate | char | declare | drop % 20table | from | net % 20user | xp_cmdshell |/Add | net % 20 localgroup % 20administrators | ASC | char ";

String [] sqlinject = xh_in.split ('| ');
String [] sqlinject2 = xh_in2.split ('| ');
// -------- Post part ------------------
If (! Request. Form. Equals (""))
{
Foreach (string xh_post in request. Form)
{
For (Int J = 0; j <sqlinject. getlength (0); j ++)
{
If (request. Form [xh_post]. tolower (). indexof (sqlinject [J])! =-1)
{
Response. Write ("Operation IP:" + request. servervariables ["remote_addr"]);
Response. Write ("Operation page:" + request. servervariables ["url"]);
Response. Write ("submission method:" + "Post ");
Response. Write ("Submit parameter:" + xh_post );
Response. Write ("submit data:" + request. Form [xh_post]);
}
}
}
}

// -------- Get part ------------------
If (! Request. querystring. Equals (""))
{
Foreach (string xh_get in request. querystring)
{
For (Int J = 0; j <sqlinject. getlength (0); j ++)
{
If (request. querystring [xh_get]. tolower (). indexof (sqlinject [J])! =-1)
{
Response. Write ("Operation IP:" + request. servervariables ["remote_addr"]);
Response. Write ("Operation page:" + request. servervariables ["url"]);
Response. Write ("submission method:" + "get ");
Response. Write ("Submit parameter:" + xh_get );
Response. Write ("submit data:" + request. Form [xh_get]);
}
}
}
}

// -------- Cookie section ------------------
If (! Request. Cookies. Equals (""))
{
Foreach (string xh_cookie in request. Cookies)
{
For (Int J = 0; j <sqlinject2.getlength (0); j ++)
{
If (request. Cookies [xh_cookie]. tostring (). tolower (). indexof (sqlinject2 [J])! =-1)
{
Response. Write ("Operation IP:" + request. servervariables ["remote_addr"]);
Response. Write ("Operation page:" + request. servervariables ["url"]);
Response. Write ("submission method:" + "cookie ");
Response. Write ("Submit parameter:" + xh_cookie );
Response. Write ("submit data:" + request. Form [xh_cookie]);
}
}
}
}
This method is feasible, but it cannot be added to every page. Now we can only write it into the httpmodule module and make some changes to the Code, it is written to a custom module. However, after doing so, another problem is that the normal information we publish cannot be added because it contains such a keyword, this is also a very uncomfortable problem. What should I do? Finally, I found that I should not be lazy. When writing SQL statements, each statement should be checked accordingly, which is indeed very difficult. At this moment, I recommend that you use the parameter parameterized SQL command to execute it. This method can completely eliminate SQL injection. The sample code is as follows:

Add data:

Public bool add (ecorpsite. model. sitenewscls Model)
{
Stringbuilder strsql = new stringbuilder ();
Strsql. append ("insert into sitenewscls (");
Strsql. append ("infoclsid, clsname, parentid, childcount, depth, userclsid, ishaspic, picsize )");
Strsql. append ("values (");
Strsql. append ("@ infoclsid, @ clsname, @ parentid, @ childcount, @ depth, @ userclsid, @ ishaspic, @ picsize )");
Oledbparameter [] parameters = {
New oledbparameter ("@ infoclsid", oledbtype. varchar, 12 ),
New oledbparameter ("@ clsname", oledbtype. varchar, 30 ),
New oledbparameter ("@ parentid", oledbtype. varchar, 12 ),
New oledbparameter ("@ childcount", oledbtype. integer, 4 ),
New oledbparameter ("@ depth", oledbtype. integer, 4 ),
Parameters [0]. value = model. infoclsid;
Parameters [1]. value = model. clsname;
Parameters [2]. value = model. parentid;
Parameters [3]. value = model. childcount;
Parameters [4]. value = model. depth;

Dbhelperoledb. executesql (strsql. tostring (), parameters );

Strsql. Remove (0, strsql. Length );
Strsql. append ("Update sitenewscls set ");
Strsql. append ("childcount = childcount + 1 ");
Strsql. append ("where infoclsid = '" + model. parentid + "'");

Return dbhelperoledb. executesql (strsql. tostring ()> 0;
}

Delete data:

/// <Summary>
/// Delete a piece of data
/// </Summary>
Public bool Delete (string infoclsid)
{
Bool rtnvalue = false;
Stringbuilder strsql = new stringbuilder ();

Strsql. append ("select infoclsid from sitenewscls where parentid = @ infoclsid ");
Oledbparameter [] parameters = {
New oledbparameter ("@ infoclsid", oledbtype. varchar, 50 )};
Parameters [0]. value = infoclsid;

Return dbhelperoledb. executesql (strsql. tostring (), parameters)> 0;

}

The above two are reference codes, and other codes are similar. This method is better. In the first day, it seems to be very difficult to write. However, in actual application, it can increase the speed and reduce the error rate, of course, it can also prevent SQL injection, write it for your reference, and reply to the discussion with different opinions.

The injection problem of our database is mainly caused by the fact that no parameterized SQL statements are used for the code written in the early stage. We also hope that new users will take it as an example.