• .net sql 防注入 httpmodule

    1 新建一个类,实现IHttpModule接口

    using System;
    using System.Collections.Generic;
    using System.Linq;
    using System.Web;
    using System.Web.UI;
    using System.Web.UI.WebControls;
    using System.Text;
    namespace DotNet.Common.WebForm
    {
    /// <summary>
    /// 简单防止sql注入
    /// </summary>
    public class SqlHttpModule : IHttpModule
    {
    public void Dispose()
    {
    }
    public void Init(HttpApplication context)
    {
    context.AcquireRequestState += new EventHandler(context_AcquireRequestState);
    }
    /// <summary>
    /// 处理sql注入
    /// </summary>
    /// <param name="sender"></param>
    /// <param name="e"></param>
    private void context_AcquireRequestState(object sender, EventArgs e)
    {
    HttpContext context = ((HttpApplication)sender).Context;
    try
    {
    string key = string.Empty;
    string value = string.Empty;
    //url提交数据 get方式
    if (context.Request.QueryString != null)
    {
    for (int i = 0; i < context.Request.QueryString.Count; i++)
    {
    key = context.Request.QueryString.Keys[i];
    value = context.Server.UrlDecode(context.Request.QueryString[key]);
    if (!FilterSql(value))
    {
    throw new Exception("QueryString(GET) including dangerous sql key word!");
    }
    }
    }
    //表单提交数据 post方式
    if (context.Request.Form != null)
    {
    for (int i = 0; i < context.Request.Form.Count; i++)
    {
    key = context.Request.Form.Keys[i];
    if (key == "__VIEWSTATE") continue;
    value = context.Server.HtmlDecode(context.Request.Form[i]);
    if (!FilterSql(value))
    {
    throw new Exception("Request.Form(POST) including dangerous sql key word!");
    }
    }
    }
    }
    catch (Exception ex)
    {
    throw ex;
    }
    }
    /// <summary>
    /// 过滤非法关键字,这个可以按照项目灵活配置
    /// </summary>
    /// <param name="key"></param>
    /// <returns></returns>
    private bool FilterSql(string key)
    {
    bool flag = true;
    try
    {
    if (!string.IsNullOrEmpty(key))
    {
    //一般配置在公共的文件中,如xml文件,txt文本等等
    string sqlStr = "insert |delete |select |update |exec |varchar |drop |creat |declare |truncate |cursor |begin |open|<-- |--> ";
    string[] sqlStrArr = sqlStr.Split('|');
    foreach (string strChild in sqlStrArr)
    {
    if (key.ToUpper().IndexOf(strChild.ToUpper()) != -1)
    {
    flag = false;
    break;
    }
    }
    }
    }
    catch
    {
    flag = false;
    }
    return flag;
    }
    }
    }

    2   在web项目中应用 
    只要在web.config的httpModules节点下面添加如下配置即可。 
    <httpModules> 
    <add name="SqlHttpModule" type="DotNet.Common.WebForm.SqlHttpModule, DotNet.Common.WebForm"></add> 
    </httpModules>

    或者是:

    <httpModules> 
    <add name="SqlHttpModule" type="DotNet.Common.WebForm.SqlHttpModule"></add> 
    </httpModules>

    type的值是  公共类的命名空间+类名

    转载自http://blog.csdn.net/loveheye/article/details/5948610
  • 相关阅读:
    优化MySchool数据库(存储过程)
    优化MySchool数据库(事务、视图、索引)
    优化MySchool数据库(四)
    优化MySchool数据库(三)
    SQLAchemy
    python操作mysql
    python队列
    零碎知识
    super深究
    Python操作RabbitMQ
  • 原文地址:https://www.cnblogs.com/luyesql/p/4228535.html
Copyright © 2020-2023  润新知