可以通过在Global.asax.cs文件中添加过滤关键字的方法来实现 防止 sql 注入攻击(sql injection),这个方法来缘于网络非本人原创,具体性能如何本人没有做测试。代码如下。
/// <summary>
/// 当有数据时交时,触发事件
/// </summary>
/// <param name="sender"> </param>
/// <param name="e"> </param>
protected void Application_BeginRequest(Object sender, EventArgs e)
{
//遍历Post参数,隐藏域除外
foreach (string i in this.Request.Form)
{
if (i == "__VIEWSTATE") continue;
this.goErr(this.Request.Form[i].ToString());
}
//遍历Get参数。
foreach (string i in this.Request.QueryString)
{
this.goErr(this.Request.QueryString[i].ToString());
/// 当有数据时交时,触发事件
/// </summary>
/// <param name="sender"> </param>
/// <param name="e"> </param>
protected void Application_BeginRequest(Object sender, EventArgs e)
{
//遍历Post参数,隐藏域除外
foreach (string i in this.Request.Form)
{
if (i == "__VIEWSTATE") continue;
this.goErr(this.Request.Form[i].ToString());
}
//遍历Get参数。
foreach (string i in this.Request.QueryString)
{
this.goErr(this.Request.QueryString[i].ToString());
}
}
///<summary>
///SQL注入过滤
/// </summary>
/// <param name="InText">要过滤的字符串 </param>
/// <returns>如果参数存在不安全字符,则返回true </returns>
public bool SqlFilter(string InText)
{
string word = "and |exec |insert |select |delete |update |chr |mid |master |or |truncate |char |declare |join |cmd | |' |--";//这里加要过滤的SQL字符
if (InText == null)
return false;
foreach (string i in word.Split(' |'))
{
if ((InText.ToLower().IndexOf(i + " ") > -1) | | (InText.ToLower().IndexOf(" " + i) > -1))
{
return true;
}
}
return false;
}
///SQL注入过滤
/// </summary>
/// <param name="InText">要过滤的字符串 </param>
/// <returns>如果参数存在不安全字符,则返回true </returns>
public bool SqlFilter(string InText)
{
string word = "and |exec |insert |select |delete |update |chr |mid |master |or |truncate |char |declare |join |cmd | |' |--";//这里加要过滤的SQL字符
if (InText == null)
return false;
foreach (string i in word.Split(' |'))
{
if ((InText.ToLower().IndexOf(i + " ") > -1) | | (InText.ToLower().IndexOf(" " + i) > -1))
{
return true;
}
}
return false;
}
/// <summary>
/// 校验参数是否存在SQL字符
/// </summary>
/// <param name="tm"> </param>
private void goErr(string tm)
{
if (SqlFilter(tm))
{
Response.Write(" <script>window.alert('参数存在不安全字符');"+" </"+"script>");
}
}
/// 校验参数是否存在SQL字符
/// </summary>
/// <param name="tm"> </param>
private void goErr(string tm)
{
if (SqlFilter(tm))
{
Response.Write(" <script>window.alert('参数存在不安全字符');"+" </"+"script>");
}
}