|
|
|
|
<?xml version="1.0" encoding="utf-8"?> <configuration> <system.webServer> <security> <requestFiltering> <requestLimits maxAllowedContentLength="104857600" /> </requestFiltering> </security> </system.webServer> </configuration> |
|
|
public static IWebHostBuilder CreateWebHostBuilder(string[] args) => WebHost.CreateDefaultBuilder(args) .UseStartup<Startup>() .UseKestrel(options => { options.Limits.MaxRequestBodySize = 52428800; //50MB }); } |
|
|
[HttpPost] [RequestSizeLimit(40000000)] public async Task<IActionResult> UploadFiles(IFormFile file) { //TODO: Save file } |
위의 두 방법 보다는 file upload 하는 딱 그 함수만 제약을 거는것이 더 안전할것처럼 보인다.
출처 : http://forums.asp.net/t/1254125.aspx
를 보면 ASP.NET 1.1이냐 2.0 이냐에 따라 각각 이렇게 하라고 한다. 아직은 난 web.config가 익숙치 않아서 그런지 1.1 방식으로 하면 잘 되는데 2.0 방식으로는 잘 안된다. -_-
ASP.NET 1.1 C#
global.asax
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
using System.Globalization; //Defines the set of characters that will be checked. //You can add to this list, or remove items from this list, as appropriate for your site public static string[] blackList = { "--", ";--", ";", "/*", "*/", "@@", "@", "char", "nchar", "varchar", "nvarchar", "alter", "begin", "cast", "create", "cursor", "declare", "delete", "drop", "end", "exec", "execute", "fetch", "insert", "kill", "open", "select", "sys", "sysobjects", "syscolumns", "table", "update" }; //The utility method that performs the blacklist comparisons //You can change the error handling, and error redirect location to whatever makes sense for your site. private void CheckInput(string parameter) { CompareInfo comparer = CultureInfo.InvariantCulture.CompareInfo; for (int i = 0; i < blackList.Length; i++) { if (comparer.IndexOf(parameter, blackList[i], CompareOptions.IgnoreCase) >= 0) { // //Handle the discovery of suspicious Sql characters here // Response.Redirect("~/Error.aspx"); //generic error page on your site } } } void Application_BeginRequest(object sender, EventArgs e) { foreach(string key in Request.QueryString) CheckInput(Request.QueryString[key]); foreach(string key in Request.Form) CheckInput(Request.Form[key]); foreach(string key in Request.Cookies) CheckInput(Request.Cookies[key].Value); } |
ASP.NET 2.0 C#
App_Code/SampleSqlInjectionScreeningModule.cs
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 |
using System; using System.Data; using System.Configuration; using System.Linq; using System.Web; using System.Web.Security; using System.Web.UI; using System.Web.UI.HtmlControls; using System.Web.UI.WebControls; using System.Web.UI.WebControls.WebParts; using System.Xml.Linq; namespace Sample { public class SampleSqlInjectionScreeningModuleCS: IHttpModule { //Defines the set of characters that will be checked. //You can add to this list, or remove items from this list, as appropriate for your site public static string[] blackList = { "--", ";--", ";", "/*", "*/", "@@", "@", "char", "nchar", "varchar", "nvarchar", "alter", "begin", "cast", "create", "cursor", "declare", "delete", "drop", "end", "exec", "execute", "fetch", "insert", "kill", "open", "select", "sys", "sysobjects", "syscolumns", "table", "update" }; public void Dispose() { //no-op } //Tells ASP.NET that there is code to run during BeginRequest public void Init(HttpApplication app) { app.BeginRequest += new EventHandler(app_BeginRequest); } //For each incoming request, check the query-string, form and cookie values for suspicious values. void app_BeginRequest(object sender, EventArgs e) { HttpRequest Request = (sender as HttpApplication).Context.Request; foreach(string key in Request.QueryString) CheckInput(Request.QueryString[key]); foreach(string key in Request.Form) CheckInput(Request.Form[key]); foreach(string key in Request.Cookies) CheckInput(Request.Cookies[key].Value); } //The utility method that performs the blacklist comparisons //You can change the error handling, and error redirect location to whatever makes sense for your site. private void CheckInput(string parameter) { for (int i = 0; i < blackList.Length; i++) { if ((parameter.IndexOf(blackList[i], StringComparison.OrdinalIgnoreCase) >= 0)) { // //Handle the discovery of suspicious Sql characters here // HttpContext.Current.Response.Redirect("~/Error.aspx"); //generic error page on your site } } } } } |
iBatis.Net에서 쿼리를 로그로 출력하면 죽~ 한줄로만 나온다.
이때 가독성을 높이기 위해서 iBatis.Net의 코드에서 아래를 변경한다.
DataMapper 프로젝트의 DomSqlMapBuilder 클래스에서 ParseDynamicTags() 메소드…
|
|
//string data = child.InnerText.Replace('n', ' ').Replace('r', ' ').Replace('t', ' '); // 주석처리!! string data = child.InnerText.Replace('t', ' '); |
|
|
2008-10-24 11:39:24,281 - Statement Id: [select_categories] Prepared SQL: [select CategoryID, CategoryName, Description from Categories] |
|
링크
|
