Using C # in the. NET environment to prevent SQL injection attacks, our solution is:
1, first in the UI input, to control the type and length of data, to prevent SQL injection attacks, the system provides detection of injection-type attack function, once the detection of injection-type attack, the data can not be submitted;
2, the Business Logic layer control, by the method inside the SQL keyword in a certain way to screen out, and then check the length of data, to ensure that the submission of SQL, there will be no SQL database injection attack code; However, when this is done, the masked characters are restored when the UI output is required. So the system provides functions for shielding characters and for restoring characters.
3, in the data access layer, the vast majority of the use of stored procedures to access data, calls to stored procedure parameters in the manner of access, will also be good to prevent injection-type attacks.