• 防止SQL注入2


    通过Global.asax过滤关键字
    方法一:
    protected void Application_BeginRequest(Object sender, EventArgs e)
        {
            //SQL防注入
            string Sql_1 = "exec|insert+|select+|delete|update|count|chr|mid|master+|truncate|char|declare|drop+|drop+table|creat+|creat+table";
            string Sql_2 = "exec+|insert+|delete+|update+|count(|count+|chr+|+mid(|+mid+|+master+|truncate+|char+|+char(|declare+|drop+|creat+|drop+table|creat+table";
            string[] sql_c = Sql_1.Split('|');
            string[] sql_c1 = Sql_2.Split('|');
    
            if (Request.QueryString != null)
            {
                foreach (string sl in sql_c)
                {
                    if (Request.QueryString.ToString().ToLower().IndexOf(sl.Trim()) >= 0)
                    {
                        Response.Write("警告!你的IP已经被记录!");//
                        Response.Write(sl);
                        Response.Write(Request.QueryString.ToString());
                        Response.End();
                        break;
                    }
                }
            }
    
            if (Request.Form.Count > 0)
            {
                string s1 = Request.ServerVariables["SERVER_NAME"].Trim();//服务器名称
                if (Request.ServerVariables["HTTP_REFERER"] != null)
                {
                    string s2 = Request.ServerVariables["HTTP_REFERER"].Trim();//http接收的名称
                    string s3 = "";
                    if (s1.Length > (s2.Length - 7))
                    {
                        s3 = s2.Substring(7);
                    }
                    else
                    {
                        s3 = s2.Substring(7, s1.Length);
                    }
                    if (s3 != s1)
                    {
                        Response.Write("你的IP已被记录!警告!");//
                        Response.End();
                    }
                }
            }
        }
        
        方法二:(比较好用)
          /// <summary>
        /// 当有数据时交时,触发事件
        /// </summary>
        /// <param name="sender"></param>
        /// <param name="e"></param>
        protected void Application_BeginRequest(Object sender, EventArgs e)
        {
            //遍历Post参数,隐藏域除外
            foreach (string i in this.Request.Form)
            {
                if (i == "__VIEWSTATE") continue;
                this.goErr(this.Request.Form[i].ToString());
            }
            //遍历Get参数。
            foreach (string i in this.Request.QueryString)
            {
                this.goErr(this.Request.QueryString[i].ToString()); 
    
            }
    
        }
    
        /// <summary>
        ///SQL注入过滤
        /// </summary>
        /// <param name="InText">要过滤的字符串</param>
        /// <returns>如果参数存在不安全字符,则返回true</returns>
        public bool SqlFilter(string InText)
        {
            string word = "and|exec|insert|select|delete|update|chr|mid|master|or|truncate|char|declare|join|cmd|;|'|--";//这里加要过滤的SQL字符
            if (InText == null)
                return false;
            foreach (string i in word.Split('|'))
            {
                if ((InText.ToLower().IndexOf(i + " ") > -1) || (InText.ToLower().IndexOf(" " + i) > -1))
                {
                    return true;
                }
            }
            return false;
        }
    
        /// <summary>
        /// 校验参数是否存在SQL字符
        /// </summary>
        /// <param name="tm"></param>
        private void goErr(string tm)
        {
            if (SqlFilter(tm))
            {
                Response.Write("<script>window.alert('参数存在不安全字符');"+"</"+"script>");
            }
        }
  • 相关阅读:
    Node.js server render Blob file All In One
    JavaScript Composite Design Patterns All In One
    cloudflare CDN image 403 HTTP error All In One
    CSS grid layout gap & flex layout gap All In One
    设置npm的registry
    正则验证身份证、数字、数字字母
    Markdown 基本语法
    Java小知识01
    计算机小知识
    丢失的数字 三角形最大周长
  • 原文地址:https://www.cnblogs.com/wybshyy/p/16042710.html
Copyright © 2020-2023  润新知