Asp.net中Global.asax设置防止Sql注入

using System;
using System.IO;

public partial class Global : System.Web.HttpApplication
{
    protected void Application_Start(object sender, EventArgs e)
    {
        //在应用程序启动时运行的代码
    }

    protected void Session_Start(object sender, EventArgs e)
    {
        //在新会话启动时运行的代码
    }

    protected void Application_BeginRequest(object sender, EventArgs e)
    {
        try
        {
            string getkeys = "";
            //防止post方法注入
            if (System.Web.HttpContext.Current.Request.Form != null)
            {
                for (int i = 0; i < System.Web.HttpContext.Current.Request.Form.Count; i++)
                {
                    getkeys = System.Web.HttpContext.Current.Request.Form.Keys[i];
                    if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys], 1))
                    {
                        RecordeWrite();
                        System.Web.HttpContext.Current.Response.Redirect("/Error/assault.htm");
                        System.Web.HttpContext.Current.Response.End();
                    }
                }
            }

            //防止get方法注入
            if (System.Web.HttpContext.Current.Request.QueryString != null)
            {

                for (int i = 0; i < System.Web.HttpContext.Current.Request.QueryString.Count; i++)
                {
                    getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys[i];
                    if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys], 2))
                    {
                        RecordeWrite();
                        System.Web.HttpContext.Current.Response.Redirect("/Error/assault.htm");
                        System.Web.HttpContext.Current.Response.End();
                    }
                }
            }

            //防止cookie方法注入 
            if (System.Web.HttpContext.Current.Request.Cookies != null)
            {
                for (int i = 0; i < System.Web.HttpContext.Current.Request.Cookies.Count; i++)
                {
                    getkeys = System.Web.HttpContext.Current.Request.Cookies.AllKeys[i];
                    if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Cookies[getkeys].Value, 3))
                    {
                        RecordeWrite();
                        System.Web.HttpContext.Current.Response.Redirect("/Error/assault.htm");
                        System.Web.HttpContext.Current.Response.End();
                    }
                }
            }
        }
        catch
        {

        }
    }

    /// <summary>
    /// 分析用户请求是否正常
    /// </summary>
    /// <param name="Str">传入用户提交数据</param>
    /// <param name="type">注入的方式</param>
    /// <returns>返回是否含有SQL注入式攻击代码</returns>
    protected bool ProcessSqlStr(string Str, int type)
    {
        string SqlStr = "";
        if (type == 1)  //Post方法提交
        {
            SqlStr = "script|iframe|xp_loginconfig|xp_fixeddrives|Xp_regremovemultistring|Xp_regread|Xp_regwrite|xp_cmdshell|xp_dirtree|exec|insert|select|delete|update|count(|asc(|chr(|substring(|mid(|master|truncate|char(|declare|replace(|varchar(|cast(";
        }
        else if (type == 2) //Get方法提交
        {
            SqlStr = "'|script|iframe|xp_loginconfig|xp_fixeddrives|Xp_regremovemultistring|Xp_regread|Xp_regwrite|xp_cmdshell|xp_dirtree|exec|insert|select|delete|update|count(|*|asc(|chr(|substring(|mid(|master|truncate|char(|declare|and|or|=|%|replace(|;|varchar(|cast(";
        }
        else if (type == 3) //Cookie提交
        {
            SqlStr = "script|iframe|xp_loginconfig|xp_fixeddrives|Xp_regremovemultistring|Xp_regread|Xp_regwrite|xp_cmdshell|xp_dirtree|exec|insert|select|delete|update|count(|asc(|chr(|substring(|mid(|master|truncate|char(|declare";
        }
        else  //默认Post方法提交
        {
            SqlStr = "script|iframe|xp_loginconfig|xp_fixeddrives|Xp_regremovemultistring|Xp_regread|Xp_regwrite|xp_cmdshell|xp_dirtree|exec|insert|select|delete|update|count(|asc(|chr(|substring(|mid(|master|truncate|char(|declare|replace(";
        }

        bool ReturnValue = true;
        try
        {
            if (Str != "")
            {
                string[] anySqlStr = SqlStr.ToUpper().Split('|'); ;
                foreach (string ss in anySqlStr)
                {
                    if (Str.ToUpper().IndexOf(ss) >= 0)
                    {
                        ReturnValue = false;
                    }
                }
            }
        }
        catch
        {
            ReturnValue = false;
        }
        return ReturnValue;
    }

    /// <summary>
    /// 记录攻击信息
    /// </summary>
    protected void RecordeWrite()
    {
        try
        {
            string path = "~/Error/Log/" + DateTime.Today.ToString("dd-mm-yy") + ".txt";
            if (!System.IO.File.Exists(System.Web.HttpContext.Current.Server.MapPath(path)))
            {
                System.IO.File.Create(System.Web.HttpContext.Current.Server.MapPath(path)).Close();
            }
            using (StreamWriter w = System.IO.File.AppendText(System.Web.HttpContext.Current.Server.MapPath(path)))
            {
                w.WriteLine("当前时间:{0}", System.DateTime.Now.ToString());
                w.WriteLine("当前IP:{0} ", System.Web.HttpContext.Current.Request.UserHostAddress);
                w.WriteLine("当前Url:{0} ", System.Web.HttpContext.Current.Request.Url.ToString());
                w.WriteLine("__________________________________");
                w.Flush();
                w.Close();
            }
        }
        catch
        {
        }
    }

    protected void Application_AuthenticateRequest(object sender, EventArgs e)
    {

    }

    protected void Application_Error(object sender, EventArgs e)
    {

    }

    protected void Session_End(object sender, EventArgs e)
    {
        //在会话结束时运行的代码。 
        // 注意: 只有在 Web.config 文件中的 sessionstate 模式设置为
        // InProc 时,才会引发 Session_End 事件。如果会话模式 
        //设置为 StateServer 或 SQLServer,则不会引发该事件。
    }

    protected void Application_End(object sender, EventArgs e)
    {

    }
}
更多.net技术就在http://bbs.netluntan.com,群:121058751
  • 1
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值