Is there any way to prevent sql injection attack?

Loveyou3000 146 Reputation points
2021-11-24T01:26:42.607+00:00

As title said, I want to do this on IIS not application . Can IIS do this by adding some special setting or install any module?

Internet Information Services
0 comments No comments
{count} votes

Accepted answer
  1. Bruce Zhang-MSFT 3,736 Reputation points
    2021-11-24T05:59:20.193+00:00

    Hi @Loveyou3000 ,

    Yes, you can set it on IIS request filtering module. Please refer to this document.

    <requestFiltering>  
       <filteringRules>  
          <filteringRule name="SQLInjection" scanUrl="false" scanQueryString="true">  
             <appliesTo>  
                <clear />  
                <add fileExtension=".asp" />  
                <add fileExtension=".aspx" />  
                <add fileExtension=".php" />  
             </appliesTo>  
             <denyStrings>  
                <clear />  
                <add string="--" />  
                <add string=";" />  
                <add string="/*" />  
                <add string="@" />  
                <add string="char" />  
                <add string="alter" />  
                <add string="begin" />  
                <add string="cast" />  
                <add string="create" />  
                <add string="cursor" />  
                <add string="declare" />  
                <add string="delete" />  
                <add string="drop" />  
                <add string="end" />  
                <add string="exec" />  
                <add string="fetch" />  
                <add string="insert" />  
                <add string="kill" />  
                <add string="open" />  
                <add string="select" />  
                <add string="sys" />  
                <add string="table" />  
                <add string="update" />  
             </denyStrings>  
             <scanHeaders>  
                <clear />  
             </scanHeaders>  
          </filteringRule>  
       </filteringRules>  
    </requestFiltering>  
    

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Best regards,
    Bruce Zhang


0 additional answers

Sort by: Most helpful