This article is a mirror article of machine translation, please click here to jump to the original article.

Architect_Programmer_Code Agriculture Network»Architect Programming .Net/C # C#. .NET to prevent SQL injection attacks
View: 17354|Reply: 0

[WinForm] C#. .NET to prevent SQL injection attacks

[Copy link]
Posted on 4/19/2015 11:32:01 PM | | |
  1. #region  防止sql注入式攻击(可用于UI层控制)
  2.   
  3.    ///
  4.    ///  判断字符串中是否有SQL攻击代码
  5.    ///
  6.    ///  传入用户提交数据
  7.    ///  true-安全;false-有注入攻击现有;
  8.    public   bool  ProcessSqlStr( string  inputString)
  9.      {
  10.       string  SqlStr  =   @"
  11. and|or|exec|execute|insert|select|delete|update|alter|create|drop|count|\*|chr|char|asc|mid|substring|master|truncate|declare|xp_cmdshell|restore|backup|net +user|net
  12. +localgroup +administrators " ;
  13.         try
  14.           {
  15.             if  ((inputString  !=   null )  &&  (inputString  !=  String.Empty))
  16.               {
  17.                 string  str_Regex  =   @" \b( "   +  SqlStr  +   @" )\b " ;
  18.   
  19.                Regex Regex  =   new  Regex(str_Regex, RegexOptions.IgnoreCase);
  20.                 // string s = Regex.Match(inputString).Value;
  21.                 if  ( true   ==  Regex.IsMatch(inputString))
  22.                     return   false ;
  23.   
  24.           }
  25.       }
  26.        catch
  27.          {
  28.            return   false ;
  29.       }
  30.        return   true ;
  31.   }


  34.    ///
  35.   ///  处理用户提交的请求,校验sql注入式攻击,在页面装置时候运行
  36.   ///  System.Configuration.ConfigurationSettings.AppSettings["ErrorPage"].ToString(); 为用户自定义错误页面提示地址,
  37.   ///  在Web.Config文件时里面添加一个 ErrorPage 即可
  38.   ///
  39.   ///     
  40.   ///  
  41.   public   void  ProcessRequest()
  42.     {
  43.        try
  44.          {
  45.            string  getkeys  =   "" ;
  46.            string  sqlErrorPage  =  System.Configuration.ConfigurationSettings.AppSettings[ " ErrorPage " ].ToString();
  47.           if  (System.Web.HttpContext.Current.Request.QueryString  !=   null )
  48.             {

  50.                for  ( int  i  =   0 ; i  <  System.Web.HttpContext.Current.Request.QueryString.Count; i ++ )
  51.                 {
  52.                   getkeys  =  System.Web.HttpContext.Current.Request.QueryString.Keys;
  53.                     if  ( ! ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys]))
  54.                       {
  55.                        System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage  +   " ?errmsg= "   +  getkeys  +   " 有SQL攻击嫌疑! " );
  56.                      System.Web.HttpContext.Current.Response.End();
  57.                  }
  58.              }
  59.          }
  60.           if  (System.Web.HttpContext.Current.Request.Form  !=   null )
  61.             {
  62.                for  ( int  i  =   0 ; i  <  System.Web.HttpContext.Current.Request.Form.Count; i ++ )
  63.                   {
  64.                    getkeys  =  System.Web.HttpContext.Current.Request.Form.Keys;
  65.                     if  ( ! ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys]))
  66.                       {
  67.                        System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage  +   " ?errmsg= "   +  getkeys  +   " 有SQL攻击嫌疑! " );
  68.                        System.Web.HttpContext.Current.Response.End();
  69.                    }
  70.                }
  71.            }
  72.        }
  73.         catch
  74.           {
  75.             //  错误处理: 处理用户提交信息!
  76.        }
  77.    }
  78.    #endregion
Copy code
Our solution is:
1. First, when entering in the UI, to control the type and length of data to prevent SQL injection attacks, the system provides a function to detect injection attacks, once the injection attack is detected, the data cannot be submitted;
2. Business logic layer control, by blocking SQL keywords in a certain way inside the method, and then checking the data length to ensure that there will be no SQL database injection attack code when submitting SQL; However, after this processing, the masked characters are restored when the UI output. Therefore, the system provides functions to shield characters and functions to restore characters.
3. In the data access layer, most of the data is accessed by stored procedures, and the stored procedure parameters are accessed when called, which will also prevent injection attacks.







Previous:Build a custom file cache ASP.NET performance optimization
Next:c# and asp.net prevent SQL injection filtering methods

Related Posts
Disclaimer:
All software, programming materials or articles published by Code Farmer Network are only for learning and research purposes; The above content shall not be used for commercial or illegal purposes, otherwise, users shall bear all consequences. The information on this site comes from the Internet, and copyright disputes have nothing to do with this site. You must completely delete the above content from your computer within 24 hours of downloading. If you like the program, please support genuine software, purchase registration, and get better genuine services. If there is any infringement, please contact us by email.
Mail To:help@itsvse.com