原创  .Net下一招搞定SQL注入攻击 收藏

在Global.asax中加入以下语句就可以了

 void Application_BeginRequest(Object sender, EventArgs e)
    {
        StartProcessRequest();

    }

   
     #region SQL注入式攻击代码分析
    ///  <summary>
    /// 处理用户提交的请求
    ///  </summary>
    private void StartProcessRequest()
    {
        try
        {
            string getkeys = "";
            string sqlErrorPage = "~/default.aspx";//转向的错误提示页面
            if (System.Web.HttpContext.Current.Request.QueryString != null)
            {

                for (int i = 0; i  < System.Web.HttpContext.Current.Request.QueryString.Count; i++)
                {
                    getkeys = System.Web.HttpContext.Current.Request.QueryString.Keysidea [i];
                    if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys]))
                    {
                        System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);
                        System.Web.HttpContext.Current.Response.End();
                    }
                }
            }
            if (System.Web.HttpContext.Current.Request.Form != null)
            {
                for (int i = 0; i  < System.Web.HttpContext.Current.Request.Form.Count; i++)
                {
                    getkeys = System.Web.HttpContext.Current.Request.Form.Keysidea [i];
                    if (getkeys == "__VIEWSTATE") continue;
                    if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys]))
                    {
                        System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);
                        System.Web.HttpContext.Current.Response.End();
                    }
                }
            }
        }
        catch
        {
            // 错误处理: 处理用户提交信息!
        }
    }
    ///  <summary>
    /// 分析用户请求是否正常
    ///  </summary>
    ///  <param name="Str">传入用户提交数据 </param>
    ///  <returns>返回是否含有SQL注入式攻击代码 </returns>
    private bool ProcessSqlStr(string Str)
    {
        bool ReturnValue = true;
        try
        {
            if (Str.Trim() != "")
            {
                string SqlStr = "and ¦exec ¦insert ¦select ¦delete ¦update ¦count ¦* ¦chr ¦mid ¦master ¦truncate ¦char ¦declare¦drop";

                string[] anySqlStr = SqlStr.Split('¦');
                foreach (string ss in anySqlStr)
                {
                    if (Str.ToLower().IndexOf(ss) >= 0)
                    {
                        ReturnValue = false;
                        break;
                    }
                }
            }
        }
        catch
        {
            ReturnValue = false;
        }
        return ReturnValue;
    }
    #endregion

http://www.zgkw.cn/forums/forums/thread/73963.aspx

发表于 @ 2008年05月29日 18:18:00 | 评论( loading... ) | 编辑| 举报| 收藏

旧一篇:用户控件引用为空问题 (asp .net) | 新一篇:客户端存储数据工具库-PersistJS

查看最新精华文章 请访问博客首页相关文章
  • 发表评论
  • 评论内容:
  •  
Copyright © kellerdu
Powered by CSDN Blog