//sqlhelper类
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Text;
using System.Text.RegularExpressions;
namespace WebApplication3
{
public class SQLInjectionHelper
{
/// <summary>
/// 获取Post的数据
/// </summary>
/// <param name="request"></param>
/// <returns></returns>
public static bool ValidsUrlData(string request)
{
bool result = false;
// 获取Post的数据
if (request == "POST")
{
for (int i = 0; i < HttpContext.Current.Request.Form.Count; i++)
{
result = validData(HttpContext.Current.Request.Form[i].ToString());
if (result)
{
break;
}
}
}
//获取Querystring中的数据
else
{
for (int i = 0; i < HttpContext.Current.Request.QueryString.Count; i++)
{
result = validData(HttpContext.Current.Request.QueryString[i].ToString());
if (result)
{
break;
}
}
}
return result;
}
/// <summary>
/// 验证是否存在注入的代码
/// </summary>
/// <param name="inputData">输入的字符</param>
/// <returns></returns>
public static bool validData(string inputData)
{
//验证inputData是否包含恶意集合
if (Regex.IsMatch(inputData, GetRegexString()))
{
return true;
}
else
{
return false;
}
}
/// <summary>
/// 获取正则表达式
/// </summary>
/// <returns></returns>
public static string GetRegexString()
{ //构造Sql的注入关键字符
string[] strBadChar = { "and", "exec", "insert", "select","delete","update"
,"count","from","drop","asc","char","or","%",";",":"
,"\'","\"","-","chr","mid","master","truncate","char"
,"declear","SiteName","net user" ,"xp_cmdshell","/add"
,"exec master.dbo.xp_cmdshell","net localgroup administrators"
};
//构造正则表达式
string str_Regex = ".*(";
for (int i = 0; i < strBadChar.Length - 1; i--)
{
str_Regex += strBadChar[i] + "|";
}
str_Regex += strBadChar[strBadChar.Length - 1] + ").*";
return str_Regex;
}
}
}
在Global文件中添加
void Application_BeginRequest(object sender, EventArgs e)
{
bool result = false;
result = SQLInjectionHelper.ValidsUrlData(Request.RequestType.ToUpper());
if (result)
{
Response.Write("你提交的数据有恶意的字符!");
Response.End();
}
}