.net非法字符过滤设计 //配置web.config <configuration> </configSections> <section name="testConfiguration" type="gaj.Project.Configuration.Settings,gaj,Version=1.0.0.0,Culture=neutral, PublicKeyToken=null"/> </configSections> <testConfiguration IllegalRequestStrings="and|exec|insert|select|delete|update|master|truncate|char|declare|'|or " IsDemo="false"> </testConfiguration> </configuration> //自定义配置节对象 public class Settings : ConfigurationSection { /// <summary> /// 调用此函数获取配置对象的实例 /// NclSettings.GetSection().PEServerUrl /// </summary> /// <returns></returns> static public Settings GetSection() { try { return WebConfigurationManager.GetSection("testConfiguration") as Settings; } catch { try { return ConfigurationManager.GetSection("testConfiguration") as Settings; } catch (Exception ex) { Console.Write(ex.ToString()); } } return null; } public NclSettings() { } [ConfigurationProperty("IllegalRequestStrings", DefaultValue = "", IsRequired = false)] public string IllegalRequestStrings { get { return (string)this["IllegalRequestStrings"]; } set { this["IllegalRequestStrings"] = value; } } } /// <summary> /// 请求非法参数过滤基类 /// </summary> public abstract class BaseModuleFilter : IHttpModule { #region IHttpModule 成员 public virtual void Dispose() { } //初始化模块 public virtual void Init(HttpApplication context) { context.BeginRequest += new EventHandler(BaseModuleFilter_BeginRequest);//订阅请求事件 } //请求事件处理方法 public virtual void BaseModuleFilter_BeginRequest(object sender, EventArgs e) { HttpApplication app = (HttpApplication)sender; Filtrate(app); } public abstract void Filtrate(HttpApplication app);//过滤请求方法 #endregion } /// <summary> /// 请求非法参数过滤实现类 /// </summary> public class ModuleFilter : BaseModuleFilter { private static readonly string[] dotNetKeyArray = { "__EVENTTARGET", "__EVENTARGUMENT", "__VIEWSTATE", "__VIEWSTATEENCRYPTED", "__EVENTVALIDATION" }; /// <summary> /// 过滤请求参数 /// </summary> /// <param name="app"></param> public override void Filtrate(HttpApplication app) { string illegalKey = null; string illegalValue = null; string containStr = null; //检查QueryString if (CheckCollection(app.Request.QueryString, out illegalKey, out illegalValue, out containStr)) { throw new IllegalRequestException(illegalKey, illegalValue, containStr, "QueryString"); } //检查Form if (CheckCollection(app.Request.Form, out illegalKey, out illegalValue, out containStr)) { throw new IllegalRequestException(illegalKey, illegalValue, containStr, "Form"); } //检查Cookies if (CheckCollection(app.Request.Cookies, out illegalKey, out illegalValue, out containStr)) { throw new IllegalRequestException(illegalKey, illegalValue, containStr, "Cookie"); } } static private bool CheckCollection(ICollection collection, out string illegalKey, out string illegalValue, out string containStr) { bool hasInjection = false; illegalValue = null; illegalKey = null; containStr = null; NameValueCollection nvCol = collection as NameValueCollection; HttpCookieCollection cookieCol = collection as HttpCookieCollection; if (nvCol != null) { for (int i = 0; i < nvCol.Count; i++) { if (CheckKey(nvCol.Keys[i])) { if (!string.IsNullOrEmpty(nvCol[i])) { if (HasInjection(nvCol[i], out containStr)) { hasInjection = true; illegalKey = nvCol.Keys[i]; illegalValue = nvCol[i]; break; } } } } } else if (cookieCol != null) { for (int i = 0; i < cookieCol.Count; i++) { HttpCookie currentCookie = cookieCol[i]; if (!string.IsNullOrEmpty(currentCookie.Value)) { if (HasInjection(currentCookie.Value, out containStr)) { hasInjection = true; illegalKey = currentCookie.Name; illegalValue = currentCookie.Value; break; } } } } return hasInjection; } static private bool CheckKey(string key) { bool beCheck = true; foreach (string dotNetKey in dotNetKeyArray) { if (key == dotNetKey) { beCheck = false; } } return beCheck; } static private bool HasInjection(string strValue,out string containStr) { bool hasInject = false; containStr = null; if (!string.IsNullOrEmpty(strValue)) { string illegalString = NclSettings.GetSection().IllegalRequestStrings; if (!string.IsNullOrEmpty(illegalString)) { string[] illegalStrArray = illegalString.Split(new char[] { '|' }); foreach (string str in illegalStrArray) { if (strValue.ToLower().IndexOf(str) >= 0) { hasInject = true; containStr = str; } } } } return hasInject; } } /// <summary> /// 请求异常类 /// </summary> public class IllegalRequestException : Exception { private string illegalKey = null; private string illegalValue = null; private string containValue = null; private string errorSource = null; /// <summary> /// Constructor /// </summary> /// <param name="illegalKey">非法键</param> /// <param name="illegalValue">非法值</param> public IllegalRequestException(string illegalKey, string illegalValue, string containValue,string errorSource) { this.illegalKey = illegalKey; this.illegalValue = illegalValue; this.containValue = containValue; this.errorSource = errorSource; } /// <summary> /// 异常信息 /// </summary> public override string Message { get { return "来自客户端提交的" + ErrorSource + "的键" + IllegalKey + "对应的值" + IllegalValue + "包含非法字符" + ContainValue + "!"; } } /// <summary> /// 异常键 /// </summary> public String IllegalKey { get { return illegalKey; } } /// <summary> /// 异常值 /// </summary> public String IllegalValue { get { return illegalValue; } } public string ContainValue { get { return containValue; } } public string ErrorSource { get { return errorSource; } }