What is SQL injection?
The sql injection I understand is that some people can input malicious parameters to let the background execute this SQL, and then achieve the purpose of obtaining data or destroying the database!
To give a simple query example, the background sql is spliced: select * from Test where name='+parameter transfer+'; the front page requires entering name, then the hacker can enter: ';DROP TABLE Test;-- Don't Look down on this piece of SQL code:
select * from Test where name=' ';DROP TABLE Test;--'; It is correct and executable in SQL, but after execution, the entire Test table is deleted and the website crashes !
The best solution
The best way is not to write splicing SQL, but to use parameterized SQL, which is recommended for new projects. There is no introduction here. Interested friends can search for it by themselves. The method introduced in this article is suitable for old projects, that is, there are no programs developed using parameterized SQL.
Use the filter function to filter
Remove some dangerous SQL keywords, as well as comment percent signs and semicolons, which are characters that do not appear at all when we write code normally. Filter out, which can ensure the safety of SQL execution to the greatest extent. The code is as follows:
public class SqlFilter
{
public static void Filter()
{
string fileter_sql = "execute,exec,select,insert,update,delete,create,drop,alter,exists,table,sysobjects,truncate,union,and,order,xor,or,mid,cast,where,asc,desc,xp_cmdshell,join,declare,nvarchar,varchar,char,sp_oacreate,wscript.shell,xp_regwrite,',%,;,--";
try
{
// -----------------------防 Post 注入-----------------------
if (HttpContext.Current.Request.Form != null)
{
PropertyInfo isreadonly = typeof(System.Collections.Specialized.NameValueCollection).GetProperty("IsReadOnly", BindingFlags.Instance | BindingFlags.NonPublic);
//把 Form 属性改为可读写
isreadonly.SetValue(HttpContext.Current.Request.Form, false, null);
for (int k = 0; k < System.Web.HttpContext.Current.Request.Form.Count; k++)
{
string getsqlkey = HttpContext.Current.Request.Form.Keys[k];
string sqlstr = HttpContext.Current.Request.Form[getsqlkey];
string[] replace_sqls = fileter_sql.Split(',');
foreach (string replace_sql in replace_sqls)
{
sqlstr = Regex.Replace(sqlstr, replace_sql, "", RegexOptions.IgnoreCase);
}
HttpContext.Current.Request.Form[getsqlkey] = sqlstr;
}
}
// -----------------------防 GET 注入-----------------------
if (HttpContext.Current.Request.QueryString != null)
{
PropertyInfo isreadonly = typeof(System.Collections.Specialized.NameValueCollection).GetProperty("IsReadOnly", BindingFlags.Instance | BindingFlags.NonPublic);
//把 QueryString 属性改为可读写
isreadonly.SetValue(HttpContext.Current.Request.QueryString, false, null);
for (int k = 0; k < System.Web.HttpContext.Current.Request.QueryString.Count; k++)
{
string getsqlkey = HttpContext.Current.Request.QueryString.Keys[k];
string sqlstr = HttpContext.Current.Request.QueryString[getsqlkey];
string[] replace_sqls = fileter_sql.Split(',');
foreach (string replace_sql in replace_sqls)
{
sqlstr = Regex.Replace(sqlstr, replace_sql, "", RegexOptions.IgnoreCase);
}
HttpContext.Current.Request.QueryString[getsqlkey] = sqlstr;
}
}
// -----------------------防 Cookies 注入-----------------------
if (HttpContext.Current.Request.Cookies != null)
{
PropertyInfo isreadonly = typeof(System.Collections.Specialized.NameValueCollection).GetProperty("IsReadOnly", BindingFlags.Instance | BindingFlags.NonPublic);
//把 Cookies 属性改为可读写
isreadonly.SetValue(HttpContext.Current.Request.Cookies, false, null);
for (int k = 0; k < System.Web.HttpContext.Current.Request.Cookies.Count; k++)
{
string getsqlkey = HttpContext.Current.Request.Cookies.Keys[k];
string sqlstr = HttpContext.Current.Request.Cookies[getsqlkey].Value;
string[] replace_sqls = fileter_sql.Split(',');
foreach (string replace_sql in replace_sqls)
{
sqlstr = Regex.Replace(sqlstr, replace_sql, "", RegexOptions.IgnoreCase);
}
HttpContext.Current.Request.Cookies[getsqlkey].Value = sqlstr;
}
}
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
}
}More ASP.NET filtering class SqlFilter to prevent SQL injection. For related articles, please pay attention to the PHP Chinese website!
C# and .NET: Understanding the Relationship Between the TwoApr 17, 2025 am 12:07 AMThe relationship between C# and .NET is inseparable, but they are not the same thing. C# is a programming language, while .NET is a development platform. C# is used to write code, compile into .NET's intermediate language (IL), and executed by the .NET runtime (CLR).
The Continued Relevance of C# .NET: A Look at Current UsageApr 16, 2025 am 12:07 AMC#.NET is still important because it provides powerful tools and libraries that support multiple application development. 1) C# combines .NET framework to make development efficient and convenient. 2) C#'s type safety and garbage collection mechanism enhance its advantages. 3) .NET provides a cross-platform running environment and rich APIs, improving development flexibility.
From Web to Desktop: The Versatility of C# .NETApr 15, 2025 am 12:07 AMC#.NETisversatileforbothwebanddesktopdevelopment.1)Forweb,useASP.NETfordynamicapplications.2)Fordesktop,employWindowsFormsorWPFforrichinterfaces.3)UseXamarinforcross-platformdevelopment,enablingcodesharingacrossWindows,macOS,Linux,andmobiledevices.
C# .NET and the Future: Adapting to New TechnologiesApr 14, 2025 am 12:06 AMC# and .NET adapt to the needs of emerging technologies through continuous updates and optimizations. 1) C# 9.0 and .NET5 introduce record type and performance optimization. 2) .NETCore enhances cloud native and containerized support. 3) ASP.NETCore integrates with modern web technologies. 4) ML.NET supports machine learning and artificial intelligence. 5) Asynchronous programming and best practices improve performance.
Is C# .NET Right for You? Evaluating its ApplicabilityApr 13, 2025 am 12:03 AMC#.NETissuitableforenterprise-levelapplicationswithintheMicrosoftecosystemduetoitsstrongtyping,richlibraries,androbustperformance.However,itmaynotbeidealforcross-platformdevelopmentorwhenrawspeediscritical,wherelanguageslikeRustorGomightbepreferable.
C# Code within .NET: Exploring the Programming ProcessApr 12, 2025 am 12:02 AMThe programming process of C# in .NET includes the following steps: 1) writing C# code, 2) compiling into an intermediate language (IL), and 3) executing by the .NET runtime (CLR). The advantages of C# in .NET are its modern syntax, powerful type system and tight integration with the .NET framework, suitable for various development scenarios from desktop applications to web services.
C# .NET: Exploring Core Concepts and Programming FundamentalsApr 10, 2025 am 09:32 AMC# is a modern, object-oriented programming language developed by Microsoft and as part of the .NET framework. 1.C# supports object-oriented programming (OOP), including encapsulation, inheritance and polymorphism. 2. Asynchronous programming in C# is implemented through async and await keywords to improve application responsiveness. 3. Use LINQ to process data collections concisely. 4. Common errors include null reference exceptions and index out-of-range exceptions. Debugging skills include using a debugger and exception handling. 5. Performance optimization includes using StringBuilder and avoiding unnecessary packing and unboxing.
Testing C# .NET Applications: Unit, Integration, and End-to-End TestingApr 09, 2025 am 12:04 AMTesting strategies for C#.NET applications include unit testing, integration testing, and end-to-end testing. 1. Unit testing ensures that the minimum unit of the code works independently, using the MSTest, NUnit or xUnit framework. 2. Integrated tests verify the functions of multiple units combined, commonly used simulated data and external services. 3. End-to-end testing simulates the user's complete operation process, and Selenium is usually used for automated testing.
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
SecLists
SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.
PhpStorm Mac version
The latest (2018.2.1) professional PHP integrated development tool
DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software
Dreamweaver Mac version
Visual web development tools
Dreamweaver CS6
Visual web development tools
