如果对参数没做处理,可以用下面的放在Global中防注入
- protected void Application_BeginRequest(Object sender, EventArgs e)
- {
- //SQL防注入
- string Sql_1 = "exec ¦insert+ ¦select+ ¦delete ¦update ¦count ¦chr ¦mid ¦master+ ¦truncate ¦char ¦declare ¦drop+ ¦drop+table ¦creat+ ¦creat+table";
- string Sql_2 = "exec+ ¦insert+ ¦delete+ ¦update+ ¦count( ¦count+ ¦chr+ ¦+mid( ¦+mid+ ¦+master+ ¦truncate+ ¦char+ ¦+char( ¦declare+ ¦drop+ ¦creat+ ¦drop+table ¦creat+table";
- string[] sql_c = Sql_1.Split('¦');
- string[] sql_c1 = Sql_2.Split('¦');
- if (Request.QueryString != null)
- {
- foreach (string sl in sql_c)
- {
- if (Request.QueryString.ToString().ToLower().IndexOf(sl.Trim()) >= 0)
- {
- Response.Write("警告!你的IP已经被记录!");//
- Response.Write(sl);
- Response.Write(Request.QueryString.ToString());
- Response.End();
- break;
- }
- }
- }
- if (Request.Form.Count > 0)
- {
- string s1 = Request.ServerVariables["SERVER_NAME"].Trim();//服务器名称
- if (Request.ServerVariables["HTTP_REFERER"] != null)
- {
- string s2 = Request.ServerVariables["HTTP_REFERER"].Trim();//http接收的名称
- string s3 = "";
- if (s1.Length > (s2.Length - 7))
- {
- s3 = s2.Substring(7);
- }
- else
- {
- s3 = s2.Substring(7, s1.Length);
- }
- if (s3 != s1)
- {
- Response.Write("你的IP已被记录!警告!");//
- Response.End();
- }
- }
- }
- }