• 使用字符过滤的方法防止ASP.NET网站被注入


    在Global.asax文件里面写入代码:

            protected void Application_BeginRequest(Object sender, EventArgs e)
            {
                   StartProcessRequest();
            }            
            private void StartProcessRequest()
            {
                try
                {
                    string getKeys = "";
                    string sqlErrorPage = "/error";
                    if (Request.QueryString != null)
                    {
                        for (int i = 0; i < Request.QueryString.Count; i++)
                        {
                            getKeys = Request.QueryString.Keys[i];
                            string val = Request.QueryString[getKeys];
                            if (StringHelper.CheckValidationUrl(val) || StringHelper.CheckValidationKeyword(val) || StringHelper.CheckValidationKeywordJS(val))
                            {
                                Response.Redirect(sqlErrorPage);
                                Response.End();
                            }
                        }
                    }
                    if (Request.Form != null)
                    {
                        for (int i = 0; i < Request.Form.Count; i++)
                        {
                            getKeys = Request.Form.Keys[i];
                            if (getKeys == "_VIEWSTATE")
                                continue;
                            string val = Request.Form[getKeys];
                            if (StringHelper.CheckValidationKeyword(val) || StringHelper.CheckValidationKeywordJS(val))
                            {
                                Response.Redirect(sqlErrorPage);
                                Response.End();
                            }
                        }
                    }
                }
                catch (Exception ex)
                {
                    Response.Redirect("/error");
                    return;
                }
            }    

    StringHelper.cs中的方法参考:

            /// <summary>
            /// 去除符号字符,防止SQL注入(URL)
            /// </summary>
            /// <param name="val">检查的对象</param>
            /// <returns>True:包含非法字符;False:不包含非法字符</returns>
            public static bool CheckValidationUrl(string val)
            {
                string str = "'<>~!$^*();|/\"";//%
                foreach (char ch in str)
                {
                    if (val.IndexOf(ch) >= 0)
                    {
                        return true;
                    }
                }
                return false;
            }
    
            /// <summary>
            /// 去除SQL关键字,防止SQL注入
            /// </summary>
            /// <param name="val">检查的对象</param>
            /// <returns>True:包含SQL关键字;False:不包含SQL关键字</returns>
            public static bool CheckValidationKeyword(string val)
            {
                val = " " + val;
                string sql = " exec | insert | select | delete | update | count | chr | master | truncate | char | declare | drop | create | and | or ";//|mid
                string[] sql_c = sql.Split('|');
                foreach (var sl in sql_c)
                {
                    if (val.ToLower().IndexOf(sl) >= 0)
                    {
                        return true;
                    }
                }
                return false;
            }
    
            /// <summary>
            /// 去除脚本注入关键字
            /// </summary>
            /// <param name="val"></param>
            /// <returns></returns>
            public static bool CheckValidationKeywordJS(string val)
            {
                val = " " + val;
                string sql = " script | alert | href | location ";
                string[] sql_c = sql.Split('|');
                foreach (var sl in sql_c)
                {
                    if (val.ToLower().IndexOf(sl) >= 0)
                    {
                        return true;
                    }
                }
                return false;
            }
  • 相关阅读:
    理解MapReduce计算构架
    熟悉HBase基本操作
    爬虫大作业
    第三章 熟悉常用的HDFS操作
    数据结构化与保存
    使用正则表达式,取得点击次数,函数抽离
    爬取校园新闻首页的新闻
    网络爬虫基础练习
    Hadoop综合大作业
    hive基本操作与应用
  • 原文地址:https://www.cnblogs.com/sky6699/p/15992685.html
Copyright © 2020-2023  润新知