using System;
using System.Data;
using System.Configuration;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;
using Microsoft.VisualBasic;
/// <summary>
/// CheckSql 的摘要说明
/// </summary>
public class CheckSql
{
Base objbase=new Base();
public string[] N_noarray;
//private Int16 N_i;
private string req_Qs, req_F, N_dbstr, N_rs, N_userIP, N_thispage;
public System.Web.HttpRequest request;
public System.Web.HttpResponse response;
public CheckSql()
{
//
// TODO: 在此处添加构造函数逻辑
//
}
public static bool CheckStr(string str)
{
string N_no = ";|'|*|%| and |20%and20%| master |20%master20%|exec|insert|select|delete|count|chr|mid|truncate|char|declare";
string[] N_noarray = N_no.Split(new char[] { '|' });
for (int i = 0; i < N_noarray.Length; i++)
{
if (Strings.InStr(1, str, N_noarray[i], CompareMethod.Text) > 0)
{
return false;
}
}
return true;
}
public void CheckBadstring()
{
N_userIP = request.ServerVariables["REMOTE_ADDR"];
N_thispage = request.ServerVariables["URL"].ToLower();
N_check_Qs();
N_check_form();
}
private void N_check_form()
{
if (request.Form.Count != 0)
{
for(int i=0;i<request.Form.Count;i++)
{
if (request.Form[i].Length > 0 && request.Form[i].Length < 30)
{
n_check(req_F, request.Form[i], "POST");
}
}
}
}
private void N_check_Qs()
{
if( request.QueryString.Count != 0)
{
for (int i = 0; i < request.QueryString.Count; i++)
{
n_check(req_Qs, request.QueryString[i], "GET");
}
}
}
private void n_check(string ag, string agsql,string sqltype)
{
string N_no = ";|'|*|%| and |20%and20%| master |20%master20%|exec|insert|select|delete|count|chr|mid|truncate|char|declare";
N_noarray = N_no.Split(new char[] { '|' });
for (int i = 0; i < N_noarray.Length; i++)
{
if (Strings.InStr(1, agsql.ToLower(), N_noarray[i], CompareMethod.Text) > 0)
{
N_regsql(ag, agsql, sqltype);
}
}
}
private void N_regsql(string ag, string agsql, string sqltype)
{
string sql;
string agsql1=agsql;
if(agsql.IndexOf("'") > -1)
{
agsql1 = agsql.Replace("'", "##") ;//'单引号用##替代
}
sql = "insert into SqlIn(Sqlin_IP,Sqlin_Web,Sqlin_Fs,SqlIn_Cs,Sqlin_Sj,Sqlin_date) values ('" + N_userIP + "','" + N_thispage + "','" + sqltype + "','" + ag + "','" + agsql1 + "',getdate())";
if (sqltype != "OTHER")
{
objbase.ExecTransact(sql);
response.Write("<script> Language=Javascript>alert('请不要在参数中包含非法字符尝试注入!');</script>");
response.Write("<span style='font-size:12px'>非法操作!系统做了如下记录!<br>");
response.Write("操作IP:" + N_userIP + "<br>");
response.Write("操作时间:" + DateTime.Now + "<br>");
response.Write("操作页面:" + N_thispage + "<br>");
response.Write("提交方式:" + sqltype + "<br>");
//response.Write("提交参数:" + ag + "<br>");
response.Write("提交数据:" + agsql + "</span>");
response.End();
}
}
}
使用时在页面中需要验证的位置加入:
CheckSql checksql = new CheckSql();
checksql.request = this.Request;
checksql.response = this.Response;
checksql.CheckBadstring();