asp.net防sql注入

发布时间：2020-12-16 09:28:26 所属栏目：asp.Net 来源：网络整理

导读：? 在全局程序中添加过滤sql敏感 protected void Application_BeginRequest(object sender,EventArgs e) { //遍历Post参数，隐藏域除外 foreach (string i in this.Request.Form) { if (i == "__VIEWSTATE") continue; this.goErr(this.Request.Form[i].ToStr

在全局程序中添加过滤sql敏感

protected void Application_BeginRequest(object sender,EventArgs e)
{
//遍历Post参数，隐藏域除外
foreach (string i in this.Request.Form)
{
if (i == "__VIEWSTATE") continue;
this.goErr(this.Request.Form[i].ToString(),i);
}
//遍历Get参数。
foreach (string i in this.Request.QueryString)
{
this.goErr(this.Request.QueryString[i].ToString(),i);
}
//遍历Cookie
if (Request.Cookies["UserSettings"] != null && Request.Cookies["UserSettings"]["user_id"] != null)
{
this.goErr(Request.Cookies["UserSettings"]["user_id"],"Cookie_UserSettings_User_id");
}
}
/// <summary>
/// 校验参数是否存在SQL字符
/// </summary>
/// <param name="tm"> </param>
private void goErr(string tm,string parmeterName)
{
if (parmeterName == null) parmeterName = string.Empty;
if (SqlFilter(tm,parmeterName))
{
string rUrl = "http://" + Request.Url.Authority + Request.RawUrl.ToString().Split(‘?‘)[0];
Response.Redirect("/Error.aspx?rUrl=" + Server.UrlEncode(rUrl));
}
}
/// <summary>
///SQL注入过滤
/// </summary>
/// <param name="InText">要过滤的字符串 </param>
/// <returns>如果参数存在不安全字符，则返回true </returns>
public bool SqlFilter(string InText,string parmeterName)
{
//要排除检查的页面集合已“|”分割，如为子目录，请写上上级目录名称，如：/exam/aaa.aspx，全小写
string excludePageName = "coursemanager/addcourse.aspx|TrainingClass/TrainingClassEdit.aspx|Exam/exam_result.aspx".ToLower();
string url = Request.Url.ToString().Split(‘?‘)[0].Trim().ToLower();
foreach (string s in excludePageName.Split(‘|‘))
{
if (url.Contains(s) && !string.IsNullOrEmpty(s))
return false;
}

//关键字过滤
string word = "and|exec|execute|insert|select|delete|update|chr|mid|master|or|truncate|char|declare|join|cmd|drop|xp_cmdshell|xp_delete_file|xp_regread|xp_regwrite|xp_dirtree";
if (InText == null)
return false;
InText = InText.ToLower();
parmeterName = parmeterName.ToLower();
foreach (string i in word.Split(‘|‘))
{
if ((InText.IndexOf("" + i + "") > -1))
{
return true;
}
}

//特殊字符过滤 string excludeName = "$password|loginpass|txtremark|ftbContent".ToLower(); //要排除特殊字符判断的控件类似名集合已“|”分割 bool isCheckChar = true; //默认都要检查特殊字符 foreach (string s in excludeName.Split(‘|‘)) { if (parmeterName.Contains(s)) isCheckChar = false; } if (isCheckChar) { if (InText.Contains("‘")) { return true; } //else if (InText.Contains(" ")) //{ // return true; //} //else if (InText.Contains("+")) //{ // return true; //} //else if (InText.Contains("-")) //{ // return true; //} else if (InText.Contains("/*")) { return true; } else if (InText.Contains("*/")) { return true; } } return false; }

（编辑：李大同）

【声明】本站内容均来自网络，其相关言论仅代表作者个人观点，不代表本站立场。若无意侵犯到您的权利，请及时与联系站长删除相关内容!