Of Stack

Three ways to prevent C from injecting code

  • 2020-06-07 05:11:20
  • OfStack

For the security of the website, is the most concerned issue for every website developer and operator. Once the site 1 vulnerability, it is bound to cause a great loss. In order to improve the security of the site, the first site to prevent injection, the most important is the server security facilities to do bit.

Say the following site against injection of a few elements.

1: Discard SQL statements and splice them directly, although this is quick and easy to write.

2: If using SQL, use parameterization and add Param

3: Use stored procedures as much as possible, with high security performance and fast processing speed

4: Masking SQL,javascript, et al injection (very important) is not possible for every file write. So find a way to work with all the files. I collected the following three methods online

C# Prevent SQL injection method 1

In the Web.config file, < appSettings > Add a tag below 


  < appSettings>
  < add key="safeParameters" value="OrderID-int32,CustomerEmail-email,ShippingZipcode-USzip" />
  < /appSettings>

The key is < saveParameters > The following value is "OrderId-int32" and so on, where "-" precedes the name of the parameter such as OrderId, followed by int32 for the data type.

C# Prevent SQL injection method 2

Add the following paragraph to ES44en.asax: 


  protected void Application_BeginRequest ( Object sender, EventArgs e ) {
  String[] safeParameters = System.Configuration.ConfigurationSettings.AppSettings["safeParameters"].ToString (). Split ( ',' ); 
  for ( int i= 0 ;i < safeParameters.Length; i++ ) {
  String parameterName = safeParameters[i].Split ( '-' ) [0];
  String parameterType = safeParameters[i].Split ( '-' ) [1];
  isValidParameter ( parameterName, parameterType ); 
  }
  }
  public void isValidParameter ( string parameterName, string parameterType ) {
  string parameterValue = Request.QueryString[parameterName];
  if ( parameterValue == null )  return;
  if ( parameterType.Equals ( "int32" )) {
  if (! parameterCheck.isInt ( parameterValue ))  Response.Redirect ( "parameterError.aspx" ); 
  }
  else if  ( parameterType.Equals ( "USzip" )) {
  if (! parameterCheck.isUSZip ( parameterValue ))  Response.Redirect ( "parameterError.aspx" ); 
  }
  else if  ( parameterType.Equals ( "email" )) {
  if (! parameterCheck.isEmail ( parameterValue ))  Response.Redirect ( "parameterError.aspx" ); 
  }
  }

C# Anti-ES50en injection method 3

Use string filtering classes 


  using System;
  namespace web.comm
  {
  /**//// < summary>
  /// ProcessRequest  The summary description of. 
  /// < /summary>
  public class ProcessRequest
  {
  public ProcessRequest (a) 
  {
  //
  // TODO:  Add constructor logic here 
  //
  }

Injectable attack Code analysis #region SQL Injectable attack code analysis 

  /**//// < summary>
  ///  Process requests submitted by users 
  /// < /summary>
  public static void StartProcessRequest (a) 
  {
  // System.Web.HttpContext.Current.Response.Write ( "< script>alert ( 'dddd' ); < /script>" ); 
  try
  {
  string getkeys = "";
  //string sqlErrorPage = System.Configuration.ConfigurationSettings.AppSettings["CustomErrorPage"].ToString (a); 
  if  ( System.Web.HttpContext.Current.Request.QueryString != null ) 
  {
  for ( int i=0;i< System.Web.HttpContext.Current.Request.QueryString.Count;i++ ) 
  {
  getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys[i];
  if  (! ProcessSqlStr ( System.Web.HttpContext.Current.Request.QueryString[getkeys],0 )) 
  {
  //System.Web.HttpContext.Current.Response.Redirect  ( sqlErrorPage+"?errmsg=sqlserver&sqlprocess=true" ); 
  System.Web.HttpContext.Current.Response.Write ( "< script>alert ( ' Do not submit illegally! ' ); history.back (a); < /script>" ); 
  System.Web.HttpContext.Current.Response.End (a); 
  }
  }
  }
  if  ( System.Web.HttpContext.Current.Request.Form != null ) 
  {
  for ( int i=0;i< System.Web.HttpContext.Current.Request.Form.Count;i++ ) 
  {
  getkeys = System.Web.HttpContext.Current.Request.Form.Keys[i];
  if  (! ProcessSqlStr ( System.Web.HttpContext.Current.Request.Form[getkeys],1 )) 
  {
  //System.Web.HttpContext.Current.Response.Redirect  ( sqlErrorPage+"?errmsg=sqlserver&sqlprocess=true" ); 
  System.Web.HttpContext.Current.Response.Write ( "< script>alert ( ' Do not submit illegally! ' ); history.back (a); < /script>" ); 
  System.Web.HttpContext.Current.Response.End (a); 
  }
  }
  }
  }
  catch
  {
  //  Error handling:   Process user submissions! 
  }
  }
  /**//// < summary>
  ///  Analyze if the user request is normal 
  /// < /summary>
  /// < param name="Str"> Incoming user submits data < /param>
  /// < returns> Return whether contains SQL Injection attack code < /returns>
  private static bool ProcessSqlStr ( string Str,int type ) 
  {
  string SqlStr;
  if ( type == 1 ) 
  SqlStr = "exec |insert |select |delete |update |count |chr |mid |master |truncate |char |declare ";
  else
  SqlStr = "'|and|exec|insert|select|delete|update|count|*|chr|mid|master|truncate|char|declare";
  bool ReturnValue = true;
  try
  {
  if  ( Str != "" ) 
  {
  string[] anySqlStr = SqlStr.Split ( '|' ); 
  foreach  ( string ss in anySqlStr ) 
  {
  if  ( Str.IndexOf ( ss ) >=0 ) 
  {
  ReturnValue = false;
  }
  }
  }
  }
  catch
  {
  ReturnValue = false;
  }
  return ReturnValue;
  }
  #endregion
  }
  }

Related articles: