通过Global.asax过滤关键字 方法一: protected void Application_BeginRequest(Object sender, EventArgs e) { //SQL防注入 string Sql_1 = "exec|insert+|select+|delete|update|count|chr|mid|master+|truncate|char|declare|drop+|drop+table|creat+|creat+table"; string Sql_2 = "exec+|insert+|delete+|update+|count(|count+|chr+|+mid(|+mid+|+master+|truncate+|char+|+char(|declare+|drop+|creat+|drop+table|creat+table"; string[] sql_c = Sql_1.Split('|'); string[] sql_c1 = Sql_2.Split('|'); if (Request.QueryString != null) { foreach (string sl in sql_c) { if (Request.QueryString.ToString().ToLower().IndexOf(sl.Trim()) >= 0) { Response.Write("警告!你的IP已经被记录!");// Response.Write(sl); Response.Write(Request.QueryString.ToString()); Response.End(); break; } } } if (Request.Form.Count > 0) { string s1 = Request.ServerVariables["SERVER_NAME"].Trim();//服务器名称 if (Request.ServerVariables["HTTP_REFERER"] != null) { string s2 = Request.ServerVariables["HTTP_REFERER"].Trim();//http接收的名称 string s3 = ""; if (s1.Length > (s2.Length - 7)) { s3 = s2.Substring(7); } else { s3 = s2.Substring(7, s1.Length); } if (s3 != s1) { Response.Write("你的IP已被记录!警告!");// Response.End(); } } } } 方法二:(比较好用) /// <summary> /// 当有数据时交时,触发事件 /// </summary> /// <param name="sender"></param> /// <param name="e"></param> protected void Application_BeginRequest(Object sender, EventArgs e) { //遍历Post参数,隐藏域除外 foreach (string i in this.Request.Form) { if (i == "__VIEWSTATE") continue; this.goErr(this.Request.Form[i].ToString()); } //遍历Get参数。 foreach (string i in this.Request.QueryString) { this.goErr(this.Request.QueryString[i].ToString()); } } /// <summary> ///SQL注入过滤 /// </summary> /// <param name="InText">要过滤的字符串</param> /// <returns>如果参数存在不安全字符,则返回true</returns> public bool SqlFilter(string InText) { string word = "and|exec|insert|select|delete|update|chr|mid|master|or|truncate|char|declare|join|cmd|;|'|--";//这里加要过滤的SQL字符 if (InText == null) return false; foreach (string i in word.Split('|')) { if ((InText.ToLower().IndexOf(i + " ") > -1) || (InText.ToLower().IndexOf(" " + i) > -1)) { return true; } } return false; } /// <summary> /// 校验参数是否存在SQL字符 /// </summary> /// <param name="tm"></param> private void goErr(string tm) { if (SqlFilter(tm)) { Response.Write("<script>window.alert('参数存在不安全字符');"+"</"+"script>"); } }