alert( 'ddd');"]."/> alert( 'ddd');"].">

Home >Backend Development >C#.Net Tutorial >How to prevent sql injection in c#?

How to prevent sql injection in c#?

青灯夜游
青灯夜游Original
2019-05-10 17:24:487341browse

The security of the website is the most concerned issue for every website developer and operator. Once there is a vulnerability in the website, it will inevitably cause great losses. In order to improve the security of the website, the website must first be protected from injections.

How to prevent sql injection in c#?

Let’s introduce to you several ways to prevent sql injection in C#:

Method 1:

Add the following tag under the Web.config file:

< appSettings>
  < add key="safeParameters" value="OrderID-int32,CustomerEmail-email,ShippingZipcode-USzip" />
< /appSettings>

The key is 403c6cc3e9e4261fe0da1b089a4e2ef5 and the following value is "OrderId-int32", etc., where "-" in front indicates the parameters. The name is such as: OrderId, and the int32 behind it indicates the data type.

Method 2:

Add the following paragraph in Global.asax:

protected void Application_BeginRequest(Object sender, EventArgs e){
  String[] safeParameters = System.Configuration.ConfigurationSettings.AppSettings["safeParameters"].ToString()。Split(&#39;,&#39;);
  for(int i= 0 ;i < safeParameters.Length; i++){
  String parameterName = safeParameters[i].Split(&#39;-&#39;)[0];
  String parameterType = safeParameters[i].Split(&#39;-&#39;)[1];
  isValidParameter(parameterName, parameterType);
  }
  }
  public void isValidParameter(string parameterName, string parameterType){
  string parameterValue = Request.QueryString[parameterName];
  if(parameterValue == null) return;
  if(parameterType.Equals("int32")){
  if(!parameterCheck.isInt(parameterValue)) Response.Redirect("parameterError.aspx");
  }
  else if (parameterType.Equals("USzip")){
  if(!parameterCheck.isUSZip(parameterValue)) Response.Redirect("parameterError.aspx");
  }
  else if (parameterType.Equals("email")){
  if(!parameterCheck.isEmail(parameterValue)) Response.Redirect("parameterError.aspx");
  }
  }

Method 3:

Use string filtering class

 /**//// < summary>
  /// 处理用户提交的请求
  /// < /summary>
  public static void StartProcessRequest()
  {
  // System.Web.HttpContext.Current.Response.Write("< script>alert(&#39;dddd&#39;);< /script>");
  try
  {
  string getkeys = "";  //string sqlErrorPage = System.Configuration.ConfigurationSettings.AppSettings["CustomErrorPage"].ToString();
  if (System.Web.HttpContext.Current.Request.QueryString != null)
  {
  for(int i=0;i< System.Web.HttpContext.Current.Request.QueryString.Count;i++)  {
  getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys[i];  if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys],0))
  {
  //System.Web.HttpContext.Current.Response.Redirect (sqlErrorPage+"?errmsg=sqlserver&sqlprocess=true");
  System.Web.HttpContext.Current.Response.Write("< script>alert(&#39;请勿非法提交!&#39;);history.back();< /script>");
  System.Web.HttpContext.Current.Response.End();
  }
  }
  }
  if (System.Web.HttpContext.Current.Request.Form != null)
  {
  for(int i=0;i< System.Web.HttpContext.Current.Request.Form.Count;i++)  {
  getkeys = System.Web.HttpContext.Current.Request.Form.Keys[i];  if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys],1))
  {
  //System.Web.HttpContext.Current.Response.Redirect (sqlErrorPage+"?errmsg=sqlserver&sqlprocess=true");
  System.Web.HttpContext.Current.Response.Write("< script>alert(&#39;请勿非法提交!&#39;);history.back();< /script>");
  System.Web.HttpContext.Current.Response.End();
  }
  }
  }
  }
  catch
  {
  // 错误处理: 处理用户提交信息!
  }
  }
  /**//// < summary>
  /// 分析用户请求是否正常
  /// < /summary>
  /// < param name="Str">传入用户提交数据< /param>
  /// < returns>返回是否含有SQL注入式攻击代码< /returns>
  private static bool ProcessSqlStr(string Str,int type)
  {
  string SqlStr;  if(type == 1)
  SqlStr = "exec |insert |select |delete |update |count |chr |mid |master |truncate |char |declare ";  else
  SqlStr = "&#39;|and|exec|insert|select|delete|update|count|*|chr|mid|master|truncate|char|declare";  bool ReturnValue = true;  try
  {
  if (Str != "")
  {
  string[] anySqlStr = SqlStr.Split(&#39;|&#39;);
  foreach (string ss in anySqlStr)
  {
  if (Str.IndexOf(ss)>=0)
  {
  ReturnValue = false;  }
  }
  }
  }
  catch
  {
  ReturnValue = false;  }
  return ReturnValue;  }
  #endregion  }
  }

Recommended related video tutorials: "C#Tutorial"

The above is the detailed content of How to prevent sql injection in c#?. For more information, please follow other related articles on the PHP Chinese website!

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn