The anti-SQL injection of ASP.

Source: Internet
Author: User
Tags how to prevent sql injection

1. What is SQL injection
SQL injection, by inserting a SQL command into a form form to submit or entering a query string for a domain name or page request, eventually achieves a malicious SQL command by tricking the server into executing. Construct smart SQL statements by submitting parameters to successfully obtain the data you want.

2. Types of SQL injection
In particular, SQL injection can be divided into five categories: digital injection, character injection, search-type injection (like), in-type injection, sentence-language connection injection.
From the application, pay special attention to the IP, search, bulk Delete, from the database to the database and other places of SQL injection.

3, how to do the injection

Let's look at a typical example

1SqlCommand cmd = new SqlCommand ("SELECT * from pe_users WHERE UserName = '"
UserName + "' and UserPassword = '" + PassWord + "'", conn);


Since no validation is performed on username and password, if username= "admin" or 1=1--"
The SQL statements executed are as follows:

1SELECT * from Pe_users WHERE username= ' admin ' OR 1=1-' and userpassword= '
2

This results in SQL injection, the condition is always true, and no password can be used to log on successfully.

4. How to prevent SQL injection

1. Filter or convert suspicious strings

Prevent SQL injection by writing a function that filters or transforms a dangerous string, and then global.asax or overrides the context instance

Here's an example.

1public static bool SqlFilter2 (string InText)
2 {
3 string word= "And|exec|insert|select|delete|update|chr|mid|master|or|truncate|char|declare|join";
4 if (intext==null)
5 return false;
6 foreach (String I in Word. Split (' | '))
7 {
8 if (Intext.tolower (). IndexOf (i+ "") >-1) | | (Intext.tolower (). IndexOf ("" +i) >-1))
9 {
return true;
11}
12}
return false;
14}

Two, Global.asax

1protected void Application_BeginRequest (Object sender, EventArgs e)
2 {
3//Traverse post parameters, except hidden fields
4 foreach (String I in this.) Request.Form)
5 {
6 if (i== "__viewstate") continue;
7 This.goerr (this. Request.form[i]. ToString ());
8}
9//Traverse get parameters.
Ten foreach (String I in this.) Request.QueryString)
11 {
This.goerr (this. Request.querystring[i]. ToString ());
13}
14}

1private void Goerr (String tm)
2 {
3 if (WLCW. Extend.CValidity.SqlFilter2 (tm))
4 this. Response.End ()
5}

Pros: This is the kind of aspect that most novice programmers use to prevent SQL injection, and look good to prevent injection in most cases.

Cons: 1. Filters some characters that are not intended to be injected, causing unexpected problems. For example, a forum member name, if it contains characters with the same filter characters, will cause some unexpected problems and trouble.

2. Need to filter or convert every time, reduce program efficiency

2. Using stored procedures for parameterized queries

The main purpose of SQL injection is to commit malicious SQL code in order to execute malicious commands in the database. As a result, SQL injection can be effectively prevented as long as it is processed before executing the SQL command. Parameterized queries can be used to effectively prevent SQL injection.

Instance

1const string strSQL = "SELECT * from [pe_users] WHERE UserName = @UserName";
2Parameters parms = new Parameters ("@UserName", dbtype.string, UserName);

It has a parameter @username, which uses the Prarmeter object to add parameters to the Command object,
This gives you a parameterized query.
As the above statement, ADO sends the following SQL statement to SQL Server:

1Exec sp_executesql n ' select * from [pe_users] where [email protected] ', n
2 ' @username nvarchar ', @username =n ' name '

SQL Server replaces the @username with the string "name" before executing the query.
Suppose you have the following input:

1 ' Union SELECT @ @version, null,null-the resulting SQL statement is as follows:1Exec sp_executesql n ' select * from [pe_users] where [email protected] ', n
2 ' @username nvarchar ', @username =n ' Union SELECT @ @version, null,null--'you can see that ADO escapes the input.
1public SqlParameter Add (String parametername, SqlDbType sqldbtype, int size);

Dbtye or SqlDbType can be a variety of data types.
You can choose according to your data type.
In some places, it is also possible to specify the length of the parameter: int size. This can also effectively prevent database overflow and SQL note
into the possibilities.
Advantage: Effectively prevents SQL injection from being generated.
Cons: Some places cannot be applied, such as in.

3. White list

Describe:
For some known parameter ranges, the white list can be used in the form of processing, to have to prevent SQL injection and query out
Error, such as: ORDER by + column name, column name in the form of parameters, you can make a white list, first determine the parameters
The number is in the whitelist, then the query, or error processing.
Advantages: Safe and reliable
Cons: Small application Range

Transfer from http://www.cnblogs.com/taizhouxiaoba/archive/2009/02/11/1388228.html

The anti-SQL injection of ASP.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.