How to prevent sql injection in c#?
The security of the website is the most concerned issue for every website developer and operator. Once there is a vulnerability in the website, it will inevitably cause great losses. In order to improve the security of the website, the website must first be protected from injections.
Let’s introduce to you several ways to prevent sql injection in C#:
Method 1:
Add the following tag under the Web.config file:
< appSettings> < add key="safeParameters" value="OrderID-int32,CustomerEmail-email,ShippingZipcode-USzip" /> < /appSettings>
The key is < saveParameters> and the following value is "OrderId-int32", etc., where "-" in front indicates the parameters. The name is such as: OrderId, and the int32 behind it indicates the data type.
Method 2:
Add the following paragraph in Global.asax:
protected void Application_BeginRequest(Object sender, EventArgs e){
String[] safeParameters = System.Configuration.ConfigurationSettings.AppSettings["safeParameters"].ToString()。Split(',');
for(int i= 0 ;i < safeParameters.Length; i++){
String parameterName = safeParameters[i].Split('-')[0];
String parameterType = safeParameters[i].Split('-')[1];
isValidParameter(parameterName, parameterType);
}
}
public void isValidParameter(string parameterName, string parameterType){
string parameterValue = Request.QueryString[parameterName];
if(parameterValue == null) return;
if(parameterType.Equals("int32")){
if(!parameterCheck.isInt(parameterValue)) Response.Redirect("parameterError.aspx");
}
else if (parameterType.Equals("USzip")){
if(!parameterCheck.isUSZip(parameterValue)) Response.Redirect("parameterError.aspx");
}
else if (parameterType.Equals("email")){
if(!parameterCheck.isEmail(parameterValue)) Response.Redirect("parameterError.aspx");
}
}Method 3:
Use string filtering class
/**//// < summary>
/// 处理用户提交的请求
/// < /summary>
public static void StartProcessRequest()
{
// System.Web.HttpContext.Current.Response.Write("< script>alert('dddd');< /script>");
try
{
string getkeys = ""; //string sqlErrorPage = System.Configuration.ConfigurationSettings.AppSettings["CustomErrorPage"].ToString();
if (System.Web.HttpContext.Current.Request.QueryString != null)
{
for(int i=0;i< System.Web.HttpContext.Current.Request.QueryString.Count;i++) {
getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys[i]; if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys],0))
{
//System.Web.HttpContext.Current.Response.Redirect (sqlErrorPage+"?errmsg=sqlserver&sqlprocess=true");
System.Web.HttpContext.Current.Response.Write("< script>alert('请勿非法提交!');history.back();< /script>");
System.Web.HttpContext.Current.Response.End();
}
}
}
if (System.Web.HttpContext.Current.Request.Form != null)
{
for(int i=0;i< System.Web.HttpContext.Current.Request.Form.Count;i++) {
getkeys = System.Web.HttpContext.Current.Request.Form.Keys[i]; if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys],1))
{
//System.Web.HttpContext.Current.Response.Redirect (sqlErrorPage+"?errmsg=sqlserver&sqlprocess=true");
System.Web.HttpContext.Current.Response.Write("< script>alert('请勿非法提交!');history.back();< /script>");
System.Web.HttpContext.Current.Response.End();
}
}
}
}
catch
{
// 错误处理: 处理用户提交信息!
}
}
/**//// < summary>
/// 分析用户请求是否正常
/// < /summary>
/// < param name="Str">传入用户提交数据< /param>
/// < returns>返回是否含有SQL注入式攻击代码< /returns>
private static bool ProcessSqlStr(string Str,int type)
{
string SqlStr; if(type == 1)
SqlStr = "exec |insert |select |delete |update |count |chr |mid |master |truncate |char |declare "; else
SqlStr = "'|and|exec|insert|select|delete|update|count|*|chr|mid|master|truncate|char|declare"; bool ReturnValue = true; try
{
if (Str != "")
{
string[] anySqlStr = SqlStr.Split('|');
foreach (string ss in anySqlStr)
{
if (Str.IndexOf(ss)>=0)
{
ReturnValue = false; }
}
}
}
catch
{
ReturnValue = false; }
return ReturnValue; }
#endregion }
}Recommended related video tutorials: "C#Tutorial"
The above is the detailed content of How to prevent sql injection in c#?. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1392
52
Active Directory with C#
Sep 03, 2024 pm 03:33 PM
Guide to Active Directory with C#. Here we discuss the introduction and how Active Directory works in C# along with the syntax and example.
C# Serialization
Sep 03, 2024 pm 03:30 PM
Guide to C# Serialization. Here we discuss the introduction, steps of C# serialization object, working, and example respectively.
Random Number Generator in C#
Sep 03, 2024 pm 03:34 PM
Guide to Random Number Generator in C#. Here we discuss how Random Number Generator work, concept of pseudo-random and secure numbers.
C# Data Grid View
Sep 03, 2024 pm 03:32 PM
Guide to C# Data Grid View. Here we discuss the examples of how a data grid view can be loaded and exported from the SQL database or an excel file.
Patterns in C#
Sep 03, 2024 pm 03:33 PM
Guide to Patterns in C#. Here we discuss the introduction and top 3 types of Patterns in C# along with its examples and code implementation.
Factorial in C#
Sep 03, 2024 pm 03:34 PM
Guide to Factorial in C#. Here we discuss the introduction to factorial in c# along with different examples and code implementation.
Prime Numbers in C#
Sep 03, 2024 pm 03:35 PM
Guide to Prime Numbers in C#. Here we discuss the introduction and examples of prime numbers in c# along with code implementation.
The difference between multithreading and asynchronous c#
Apr 03, 2025 pm 02:57 PM
The difference between multithreading and asynchronous is that multithreading executes multiple threads at the same time, while asynchronously performs operations without blocking the current thread. Multithreading is used for compute-intensive tasks, while asynchronously is used for user interaction. The advantage of multi-threading is to improve computing performance, while the advantage of asynchronous is to not block UI threads. Choosing multithreading or asynchronous depends on the nature of the task: Computation-intensive tasks use multithreading, tasks that interact with external resources and need to keep UI responsiveness use asynchronous.
