anydragon

SQL Injection 방어

출처 : http://forums.asp.net/t/1254125.aspx

를 보면 ASP.NET 1.1이냐 2.0 이냐에 따라 각각 이렇게 하라고 한다. 아직은 난 web.config가 익숙치 않아서 그런지 1.1 방식으로 하면 잘 되는데 2.0 방식으로는 잘 안된다. -_-

ASP.NET 1.1 C#

global.asax

using System.Globalization;
//Defines the set of characters that will be checked.
//You can add to this list, or remove items from this list, as appropriate for your site
public static string[] blackList = {
  "--",
  ";--",
  ";",
  "/*",
  "*/",
  "@@",
  "@",
  "char",
  "nchar",
  "varchar",
  "nvarchar",
  "alter",
  "begin",
  "cast",
  "create",
  "cursor",
  "declare",
  "delete",
  "drop",
  "end",
  "exec",
  "execute",
  "fetch",
  "insert",
  "kill",
  "open",
  "select",
  "sys",
  "sysobjects",
  "syscolumns",
  "table",
  "update"
};
//The utility method that performs the blacklist comparisons
//You can change the error handling, and error redirect location to whatever makes sense for your site.
private void CheckInput(string parameter) {
  CompareInfo comparer = CultureInfo.InvariantCulture.CompareInfo;
  for (int i = 0; i < blackList.Length; i++) {
    if (comparer.IndexOf(parameter, blackList[i], CompareOptions.IgnoreCase) >= 0) {
      //
      //Handle the discovery of suspicious Sql characters here
      //
      Response.Redirect("~/Error.aspx"); //generic error page on your site
    }
  }
}

void Application_BeginRequest(object sender, EventArgs e) {
  foreach(string key in Request.QueryString)
  CheckInput(Request.QueryString[key]);
  foreach(string key in Request.Form)
  CheckInput(Request.Form[key]);
  foreach(string key in Request.Cookies)
  CheckInput(Request.Cookies[key].Value);
}

using System.Globalization;

//Defines the set of characters that will be checked.

//You can add to this list, or remove items from this list, as appropriate for your site

public static string[] blackList = {

"--",

";--",

";",

"/*",

"*/",

"@@",

"@",

"char",

"nchar",

"varchar",

"nvarchar",

"alter",

"begin",

"cast",

"create",

"cursor",

"declare",

"delete",

"drop",

"end",

"exec",

"execute",

"fetch",

"insert",

"kill",

"open",

"select",

"sys",

"sysobjects",

"syscolumns",

"table",

"update"

};

//The utility method that performs the blacklist comparisons

//You can change the error handling, and error redirect location to whatever makes sense for your site.

private void CheckInput(string parameter) {

CompareInfo comparer = CultureInfo.InvariantCulture.CompareInfo;

for (int i = 0; i < blackList.Length; i++) {

if (comparer.IndexOf(parameter, blackList[i], CompareOptions.IgnoreCase) >= 0) {

//Handle the discovery of suspicious Sql characters here

Response.Redirect("~/Error.aspx"); //generic error page on your site

}

void Application_BeginRequest(object sender, EventArgs e) {

foreach(string key in Request.QueryString)

CheckInput(Request.QueryString[key]);

foreach(string key in Request.Form)

CheckInput(Request.Form[key]);

foreach(string key in Request.Cookies)

CheckInput(Request.Cookies[key].Value);

}

ASP.NET 2.0 C#

App_Code/SampleSqlInjectionScreeningModule.cs

using System;
using System.Data;
using System.Configuration;
using System.Linq;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Xml.Linq;

namespace Sample {
  public class SampleSqlInjectionScreeningModuleCS: IHttpModule {
    //Defines the set of characters that will be checked.
    //You can add to this list, or remove items from this list, as appropriate for your site
    public static string[] blackList = {
      "--",
      ";--",
      ";",
      "/*",
      "*/",
      "@@",
      "@",
      "char",
      "nchar",
      "varchar",
      "nvarchar",
      "alter",
      "begin",
      "cast",
      "create",
      "cursor",
      "declare",
      "delete",
      "drop",
      "end",
      "exec",
      "execute",
      "fetch",
      "insert",
      "kill",
      "open",
      "select",
      "sys",
      "sysobjects",
      "syscolumns",
      "table",
      "update"
    };

    public void Dispose() {
      //no-op
    }

    //Tells ASP.NET that there is code to run during BeginRequest
    public void Init(HttpApplication app) {
      app.BeginRequest += new EventHandler(app_BeginRequest);
    }

    //For each incoming request, check the query-string, form and cookie values for suspicious values.
    void app_BeginRequest(object sender, EventArgs e) {
      HttpRequest Request = (sender as HttpApplication).Context.Request;

      foreach(string key in Request.QueryString)
      CheckInput(Request.QueryString[key]);
      foreach(string key in Request.Form)
      CheckInput(Request.Form[key]);
      foreach(string key in Request.Cookies)
      CheckInput(Request.Cookies[key].Value);
    }

    //The utility method that performs the blacklist comparisons
    //You can change the error handling, and error redirect location to whatever makes sense for your site.
    private void CheckInput(string parameter) {
      for (int i = 0; i < blackList.Length; i++) {
        if ((parameter.IndexOf(blackList[i], StringComparison.OrdinalIgnoreCase) >= 0)) {
          //
          //Handle the discovery of suspicious Sql characters here
          //
          HttpContext.Current.Response.Redirect("~/Error.aspx"); //generic error page on your site
        }
      }
    }
  }
}

using System;

using System.Data;

using System.Configuration;

using System.Linq;

using System.Web;

using System.Web.Security;

using System.Web.UI;

using System.Web.UI.HtmlControls;

using System.Web.UI.WebControls;

using System.Web.UI.WebControls.WebParts;

using System.Xml.Linq;

namespace Sample {

public class SampleSqlInjectionScreeningModuleCS: IHttpModule {

//Defines the set of characters that will be checked.

//You can add to this list, or remove items from this list, as appropriate for your site

public static string[] blackList = {

"--",

";--",

";",

"/*",

"*/",

"@@",

"@",

"char",

"nchar",

"varchar",

"nvarchar",

"alter",

"begin",

"cast",

"create",

"cursor",

"declare",

"delete",

"drop",

"end",

"exec",

"execute",

"fetch",

"insert",

"kill",

"open",

"select",

"sys",

"sysobjects",

"syscolumns",

"table",

"update"

};

public void Dispose() {

//no-op

}

//Tells ASP.NET that there is code to run during BeginRequest

public void Init(HttpApplication app) {

app.BeginRequest += new EventHandler(app_BeginRequest);

}

//For each incoming request, check the query-string, form and cookie values for suspicious values.

void app_BeginRequest(object sender, EventArgs e) {

HttpRequest Request = (sender as HttpApplication).Context.Request;

foreach(string key in Request.QueryString)

CheckInput(Request.QueryString[key]);

foreach(string key in Request.Form)

CheckInput(Request.Form[key]);

foreach(string key in Request.Cookies)

CheckInput(Request.Cookies[key].Value);

}

//The utility method that performs the blacklist comparisons

//You can change the error handling, and error redirect location to whatever makes sense for your site.

private void CheckInput(string parameter) {

for (int i = 0; i < blackList.Length; i++) {

if ((parameter.IndexOf(blackList[i], StringComparison.OrdinalIgnoreCase) >= 0)) {

//Handle the discovery of suspicious Sql characters here

HttpContext.Current.Response.Redirect("~/Error.aspx"); //generic error page on your site

}

anydragon

참고자료

최신 글

보관함

svn 암호의 암호화

trac 내 graphviz Sample

SQL Injection 방어

태그

링크

메타