Use HttpModule to prevent database Injection

Last Update:2013-11-29 Source: Internet

Author: User

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Identify whether SQL injection attack code exists through corresponding keywords

In the following code, you should refer to the above definition, which is actually the key word to be recognized.

However, we usually process requests through the Request. QueryString/Request. Form

We can write a class to process these requests. However, if this class is loaded for processing in every processing stage, it is too troublesome.

If you write an ISAPI, you can also implement this function, but in. in NET, HttpModule helps us implement functions similar to ISAPI Filter, so it is best to use HttpModule to handle these tasks.

We only need to register the BeginRequest event.

If Request. RequestType = "GET" Then
For Each strTemp1 In Request. QueryString
For Each strTemp2 In strf
If InStr (LCase (strTemp1), LCase (strTemp2), CompareMethod. Text) Then
Response. Write ("what do you want? Don't note me! QQ with vulnerability notification: 26242000 ")
Response. End ()
End If
Next
Next
ElseIf Request. RequestType = "POST" Then
For Each strTemp1 In Request. Form
For Each strTemp2 In strf
If InStr (LCase (strTemp1), LCase (strTemp2), CompareMethod. Text) Then
Response. Write ("what do you want? Don't note me! QQ with vulnerability notification: 26242000 ")
Response. End ()
End If
Next
Next
End If

Let's take a look at the SQL attack protection code I found on Baidu.

// @ Copyright S. Sams Lifexperience http://blog.8see.net/
Using System;

Namespace Theme. Services. Public
{
/// <Summary>
/// Summary of SqlstrAny.
/// </Summary>
Public class ProcessRequest
{
Public ProcessRequest ()
{
//
// TODO: add the constructor logic here
//
}

# Region SQL injection attack code analysis
/// <Summary>
/// Process user-submitted requests
/// </Summary>
Public void StartProcessRequest ()
{
Try
{
String getkeys = "";
String sqlErrorPage = System. Configuration. ConfigurationSettings. AppSettings ["CustomErrorPage"]. ToString ();
If (System. Web. HttpContext. Current. Request. QueryString! = Null)
{

For (int I = 0; I <System. Web. HttpContext. Current. Request. QueryString. Count; I ++)
{
Getkeys = System. Web. HttpContext. Current. Request. QueryString. Keys [I];
If (! ProcessSqlStr (System. Web. HttpContext. Current. Request. QueryString [getkeys])
{
System. Web. HttpContext. Current. Response. Redirect (sqlErrorPage + "? Errmsg = sqlserver & sqlprocess = true ");
System. Web. HttpContext. Current. Response. End ();
}
}
}
If (System. Web. HttpContext. Current. Request. Form! = Null)
{
For (int I = 0; I <System. Web. HttpContext. Current. Request. Form. Count; I ++)
{
Getkeys = System. Web. HttpContext. Current. Request. Form. Keys [I];
If (! ProcessSqlStr (System. Web. HttpContext. Current. Request. Form [getkeys])
{
System. Web. HttpContext. Current. Response. Redirect (sqlErrorPage + "? Errmsg = sqlserver & sqlprocess = true ");
System. Web. HttpContext. Current. Response. End ();
}
}
}
}
Catch
{
// Error handling: process user submitted information!
}
}
/// <Summary>
/// Analyze whether the user request is normal
/// </Summary>
/// <Param name = "Str"> input user to submit data </param>
/// <Returns> whether SQL injection attack code is returned </returns>
Private bool ProcessSqlStr (string Str)
{
Bool ReturnValue = true;
Try
{
If (Str! = "")
{
String SqlStr = "and | exec | insert | select | delete | update | count | * | chr | mid | master | truncate | char | declare ";
String [] anySqlStr = SqlStr. Split (| );
Foreach (string ss in anySqlStr)
{
If (Str. IndexOf (ss)> = 0)
{
ReturnValue = false;
}
}
}
}
Catch
{
ReturnValue = false;
}
Return ReturnValue;
}
# Endregion

}
}

// System. Configuration. ConfigurationSettings. deleetask[ "CustomErrorPage"]. ToString (); the address of the custom error page prompt,
// Add a CustomErrorPage in the Web. Config file.
// <! -- Custom address on the error page to prevent SQL database injection attacks -->
// <Add key = "CustomErrorPage" value = "../Error.html"/>

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More

Use HttpModule to prevent database Injection

Contact Us

A Free Trial That Lets You Build Big!

Sales Support

After-Sales Support