I recently took over a project from someone else and found that there was a SQL injection vulnerability. Since I didn’t want to change too many codes, I didn’t need to use the parameter method to prevent injection. We can only use the traditional stupid method.
1. Create a new Global.asax file.
2. Add the following code:
void Application_BeginRequest(object sender, EventArgs e) { bool result = false; if (Request.RequestType.ToUpper() == "POST") { //post方式的我就不写了。 } else { result = ValidUrlGetData(); } if (result) { Response.Write("您提交的数据有恶意字符!"); Response.End(); } } /// /// 获取QueryString中的数据 /// public static bool ValidUrlGetData() { bool result = false; for (int i = 0; i < HttpContext.Current.Request.QueryString.Count; i++) { result = Validate(HttpContext.Current.Request.QueryString[i].ToString()); if (result) { break; }//如果检测存在漏洞 } return result; } public static string []strs = new string[] {"select","drop","exists","exec","insert","delete","update","and","or","user" };//此处我随便加了几个,大家可以多加点哈。 public static bool Validate(string str) { for (int i = 0; i < strs.Length; i++) { if (str.IndexOf(strs[i]) != -1) { return true; break; } } return false; }
The above is the detailed content of ASP.NET method instance parsing to prevent SQL injection. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
