Is there any way to prevent sql injection attack?

Question

As title said, I want to do this on IIS not application . Can IIS do this by adding some special setting or install any module?

Answer 1

Hi @Loveyou3000 ,

Yes, you can set it on IIS request filtering module. Please refer to this document.

<requestFiltering>  
   <filteringRules>  
      <filteringRule name="SQLInjection" scanUrl="false" scanQueryString="true">  
         <appliesTo>  
            <clear />  
            <add fileExtension=".asp" />  
            <add fileExtension=".aspx" />  
            <add fileExtension=".php" />  
         </appliesTo>  
         <denyStrings>  
            <clear />  
            <add string="--" />  
            <add string=";" />  
            <add string="/*" />  
            <add string="@" />  
            <add string="char" />  
            <add string="alter" />  
            <add string="begin" />  
            <add string="cast" />  
            <add string="create" />  
            <add string="cursor" />  
            <add string="declare" />  
            <add string="delete" />  
            <add string="drop" />  
            <add string="end" />  
            <add string="exec" />  
            <add string="fetch" />  
            <add string="insert" />  
            <add string="kill" />  
            <add string="open" />  
            <add string="select" />  
            <add string="sys" />  
            <add string="table" />  
            <add string="update" />  
         </denyStrings>  
         <scanHeaders>  
            <clear />  
         </scanHeaders>  
      </filteringRule>  
   </filteringRules>  
</requestFiltering>  

---

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Best regards,
Bruce Zhang