using System;
using System.Text;
using System.Web;
namespace Phone.HttpModule
{
/// <summary>
/// SimpleHttpModule 的摘要说明。
/// </summary>
public class SimpleHttpModule : IHttpModule
{
#region IHttpModule 成员
public void Dispose()
{ }
public void Init(HttpApplication context)
{
//Begin_Request时还没有加载Session状态
context.AcquireRequestState += new EventHandler(context_AcquireRequestState);
}
void context_AcquireRequestState(object sender, EventArgs e)
{
// 获取应用程序
HttpApplication application = (HttpApplication)sender;
#region post,get 数据过滤,防sql 注入
HttpContext context = ((HttpApplication)sender).Context;
try
{
string getkeys = string.Empty;
string ErrorPage = "~/PageError.aspx";//转向的错误提示页面
string keyvalue = string.Empty;
string requestUrl = context.Request.Path.ToString();
//url提交数据
if (context.Request.QueryString != null)
{
for (int i = 0; i < context.Request.QueryString.Count; i++)
{
getkeys = context.Request.QueryString.Keys[i];
keyvalue = context.Server.UrlDecode(context.Request.QueryString[getkeys]);
if (!ProcessSqlStr(keyvalue))
{
context.Response.Redirect(ErrorPage);
context.Response.End();
break;
}
}
}
//表单提交数据
if (context.Request.Form != null)
{
for (int i = 0; i < context.Request.Form.Count; i++)
{
getkeys = context.Request.Form.Keys[i];
keyvalue = context.Server.HtmlDecode(context.Request.Form[i]);//[getkeys];
if (getkeys == "__VIEWSTATE") continue;
if (!ProcessSqlStr(keyvalue))
{
context.Response.Redirect(ErrorPage);
context.Response.End();
break;
}
}
}
}
catch (Exception ex)
{
}
#endregion
}
private bool ProcessSqlStr(string str)
{
bool returnValue = true;
try
{
if (str.Trim() != "")
{
//string sqlStr = ConfigurationManager.AppSettings["FilterSqlString"].Trim();
string sqlStr = "declare |exec|varchar|cursor|begin|open |drop |creat |select |truncate";
string[] sqlStrs = sqlStr.Split('|');
foreach (string ss in sqlStrs)
{
if (str.ToLower().IndexOf(ss) >= 0)
{
returnValue = false;
break;
}
}
}
}
catch
{
returnValue = false;
}
return returnValue;
}
#endregion
}
}
-------------
web.config 加入配置如下
<httpModules>
<add type="Phone.HttpModule.SimpleHttpModule,Phone.HttpModule" name="SimpleHttpModule" />
</httpModules>
总结:其它的业务逻辑处理均可以在这个过程中实现,主要是请求来的数据处理分析
HttpApplication application = (HttpApplication)sender;
HttpContext context = ((HttpApplication)sender).Context;
主要用到的对象
象验证登录,过滤,url 重写,权限控制等均可以实现