在Global.asax文件里面写入代码:
protected void Application_BeginRequest(Object sender, EventArgs e) { StartProcessRequest(); }
private void StartProcessRequest() { try { string getKeys = ""; string sqlErrorPage = "/error"; if (Request.QueryString != null) { for (int i = 0; i < Request.QueryString.Count; i++) { getKeys = Request.QueryString.Keys[i]; string val = Request.QueryString[getKeys]; if (StringHelper.CheckValidationUrl(val) || StringHelper.CheckValidationKeyword(val) || StringHelper.CheckValidationKeywordJS(val)) { Response.Redirect(sqlErrorPage); Response.End(); } } } if (Request.Form != null) { for (int i = 0; i < Request.Form.Count; i++) { getKeys = Request.Form.Keys[i]; if (getKeys == "_VIEWSTATE") continue; string val = Request.Form[getKeys]; if (StringHelper.CheckValidationKeyword(val) || StringHelper.CheckValidationKeywordJS(val)) { Response.Redirect(sqlErrorPage); Response.End(); } } } } catch (Exception ex) { Response.Redirect("/error"); return; } }
StringHelper.cs中的方法参考:
/// <summary> /// 去除符号字符,防止SQL注入(URL) /// </summary> /// <param name="val">检查的对象</param> /// <returns>True:包含非法字符;False:不包含非法字符</returns> public static bool CheckValidationUrl(string val) { string str = "'<>~!$^*();|/\"";//% foreach (char ch in str) { if (val.IndexOf(ch) >= 0) { return true; } } return false; } /// <summary> /// 去除SQL关键字,防止SQL注入 /// </summary> /// <param name="val">检查的对象</param> /// <returns>True:包含SQL关键字;False:不包含SQL关键字</returns> public static bool CheckValidationKeyword(string val) { val = " " + val; string sql = " exec | insert | select | delete | update | count | chr | master | truncate | char | declare | drop | create | and | or ";//|mid string[] sql_c = sql.Split('|'); foreach (var sl in sql_c) { if (val.ToLower().IndexOf(sl) >= 0) { return true; } } return false; } /// <summary> /// 去除脚本注入关键字 /// </summary> /// <param name="val"></param> /// <returns></returns> public static bool CheckValidationKeywordJS(string val) { val = " " + val; string sql = " script | alert | href | location "; string[] sql_c = sql.Split('|'); foreach (var sl in sql_c) { if (val.ToLower().IndexOf(sl) >= 0) { return true; } } return false; }