• 使用字符过滤的方法防止ASP.NET网站被注入

    在Global.asax文件里面写入代码:

            protected void Application_BeginRequest(Object sender, EventArgs e)
        {
               StartProcessRequest();
        }            
            private void StartProcessRequest()
        {
            try
            {
                string getKeys = "";
                string sqlErrorPage = "/error";
                if (Request.QueryString != null)
                {
                    for (int i = 0; i < Request.QueryString.Count; i++)
                    {
                        getKeys = Request.QueryString.Keys[i];
                        string val = Request.QueryString[getKeys];
                        if (StringHelper.CheckValidationUrl(val) || StringHelper.CheckValidationKeyword(val) || StringHelper.CheckValidationKeywordJS(val))
                        {
                            Response.Redirect(sqlErrorPage);
                            Response.End();
                        }
                    }
                }
                if (Request.Form != null)
                {
                    for (int i = 0; i < Request.Form.Count; i++)
                    {
                        getKeys = Request.Form.Keys[i];
                        if (getKeys == "_VIEWSTATE")
                            continue;
                        string val = Request.Form[getKeys];
                        if (StringHelper.CheckValidationKeyword(val) || StringHelper.CheckValidationKeywordJS(val))
                        {
                            Response.Redirect(sqlErrorPage);
                            Response.End();
                        }
                    }
                }
            }
            catch (Exception ex)
            {
                Response.Redirect("/error");
                return;
            }
        }

    StringHelper.cs中的方法参考:

            /// <summary>
        /// 去除符号字符,防止SQL注入(URL)
        /// </summary>
        /// <param name="val">检查的对象</param>
        /// <returns>True:包含非法字符;False:不包含非法字符</returns>
        public static bool CheckValidationUrl(string val)
        {
            string str = "'<>~!$^*();|/\"";//%
            foreach (char ch in str)
            {
                if (val.IndexOf(ch) >= 0)
                {
                    return true;
                }
            }
            return false;
        }

        /// <summary>
        /// 去除SQL关键字,防止SQL注入
        /// </summary>
        /// <param name="val">检查的对象</param>
        /// <returns>True:包含SQL关键字;False:不包含SQL关键字</returns>
        public static bool CheckValidationKeyword(string val)
        {
            val = " " + val;
            string sql = " exec | insert | select | delete | update | count | chr | master | truncate | char | declare | drop | create | and | or ";//|mid
            string[] sql_c = sql.Split('|');
            foreach (var sl in sql_c)
            {
                if (val.ToLower().IndexOf(sl) >= 0)
                {
                    return true;
                }
            }
            return false;
        }

        /// <summary>
        /// 去除脚本注入关键字
        /// </summary>
        /// <param name="val"></param>
        /// <returns></returns>
        public static bool CheckValidationKeywordJS(string val)
        {
            val = " " + val;
            string sql = " script | alert | href | location ";
            string[] sql_c = sql.Split('|');
            foreach (var sl in sql_c)
            {
                if (val.ToLower().IndexOf(sl) >= 0)
                {
                    return true;
                }
            }
            return false;
        }
  • 相关阅读:
    设置android:supportsRtl=&quot;true&quot;无效问题
    使用 Docker/LXC 迅速启动一个桌面系统
    快速部署Python应用:Nginx+uWSGI配置详解
    链表源代码(C语言实现)
    delete
    Linux与Unix shell编程指南(完整高清版).pdf
    数据挖掘python,java
    shops
    如何用Excel打开CSV文件
    svn迁移到git
  • 原文地址:https://www.cnblogs.com/sky6699/p/15992685.html
Copyright © 2020-2023  润新知