• asp.net防止sql注入(转)

    void Application_BeginRequest(Object sender, EventArgs e)
    {
    StartProcessRequest();

    }

    #region SQL注入式攻击代码分析
    /// <summary>
    /// 处理用户提交的请求
    /// </summary>
    private void StartProcessRequest()
    {
    try
    {
    string str = string.Empty;
    string getkeys = "";
    string sqlErrorPage = "../ErrorPage.aspx";//转向的错误提示页面
    if (System.Web.HttpContext.Current.Request.QueryString != null)
    {

    for (int i = 0; i < System.Web.HttpContext.Current.Request.QueryString.Count; i++)
    {
    getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys[i];
    if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys]))
    {

    System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage );
    System.Web.HttpContext.Current.Response.End();
    }
    }
    }
    if (System.Web.HttpContext.Current.Request.Form != null)
    {
    for (int i = 0; i < System.Web.HttpContext.Current.Request.Form.Count; i++)
    {
    getkeys = System.Web.HttpContext.Current.Request.Form.Keys[i];
    if (getkeys == "__VIEWSTATE" || getkeys == "hidStdName") continue;
    if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys]))
    {

    System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);
    System.Web.HttpContext.Current.Response.End();
    }
    }
    }
    }
    catch
    {
    // 错误处理: 处理用户提交信息!
    }
    }
    /// <summary>
    /// 分析用户请求是否正常
    /// </summary>
    /// <param name="Str">传入用户提交数据 </param>
    /// <returns>返回是否含有SQL注入式攻击代码 </returns>
    private bool ProcessSqlStr(string Str)
    {

    bool ReturnValue = true;
    try
    {
    if (Str.Trim() != "")
    {
    string SqlStr = "and |exec |insert |select |delete |update |count | * |chr |mid |master |truncate |char |declare |'|--|drop table|truncate|creat table";

    string[] anySqlStr = SqlStr.Split('|');
    foreach (string ss in anySqlStr)
    {
    if (Str.ToLower().IndexOf(ss) >= 0)
    {
    string strcon = System.Configuration.ConfigurationSettings.AppSettings["adoConstr"].ToString();
    System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection(strcon);
    conn.Open();
    System.Data.SqlClient.SqlCommand cmd = new System.Data.SqlClient.SqlCommand("insert into n_errorstd(stdid,type)values('" + ss + "','5')", conn);
    cmd.ExecuteNonQuery();

    ReturnValue = false;
    break;
    }
    }
    }
    }
    catch
    {
    ReturnValue = false;
    }
    return ReturnValue;
    }
    #endregion 
  • 相关阅读:
    ASP.NET 判断GRIDVIEW的checkbox是否选中
    分享C#实现XML和实体序列化和反序列化的代码
    设计模式:简单工厂、工厂方法、抽象工厂之小结与区别 (转)
    如何验证已经加载的symbol file与module是否匹配?
    成功运行过的WinDBG Commands–12262010
    间歇性连接数据库失败, 先试试下面两篇文章
    如何使用符号文件?
    为<<Advanced Windows Debugging>>配置符号路径
    TCP中Connection和端口的关系
    SQL Profiler Trace中的列SPID
  • 原文地址:https://www.cnblogs.com/bianlan/p/2498266.html
Copyright © 2020-2023  润新知