防SQL注入

asp.net 防SQL注入

一：一个方法
        /// <summary>
        ///SQL注入过滤
        /// </summary>
        /// <param name="InText">要过滤的字符串</param>
        /// <returns>如果参数存在不安全字符，则返回true</returns>
        public static bool SqlFilter2(string InText)
        {
            string word = "and|exec|insert|select|delete|update|chr|mid|master|or|truncate|char|declare|join|&apos;";
            if (InText == null)
                return false;
            foreach (string str_t in word.Split(&apos;|&apos;))
            {
                if ((InText.ToLower().IndexOf(str_t + " ") > -1) || (InText.ToLower().IndexOf(" " + str_t) > -1) || (InText.ToLower().IndexOf(str_t) > -1))
                {
                    return true;
                }
            }
            return false;
        }

 二：global.ascx 中的一个方法
    /// <summary>
    /// 当有数据时交时，触发事件
    /// </summary>
    /// <param name="sender"></param>
    /// <param name="e"></param>
    protected void Application_BeginRequest(Object sender, EventArgs e)
    {
        //遍历Post参数，隐藏域除外
        foreach (string str_t in this.Request.Form)
        {
            if (str_t == "__VIEWSTATE") continue;
            this.goErr(this.Request.Form[str_t].ToString());
        }
        //遍历Get参数。
        foreach (string str_t in this.Request.QueryString)
        {
            this.goErr(this.Request.QueryString[str_t].ToString());
        }
    }

三：global.asax中的另外一方法

    /// <summary>
    /// 校验参数是否存在SQL字符
    /// </summary>
    /// <param name="tm"></param>
    private void goErr(string tm)
    {
        if (wenlong.function.func.SqlFilter2(tm))
            this.Response.Redirect("/error");
        //Response.Redirect();
    }