在Global.asax文件中加入如下方法即可: #region SQL注入式攻击代码分析 /// /// 处理用户提交的请求 /// private void StartProcessRequest() { try { string getkeys = ""; if (System.Web.HttpContext.Current.Request.QueryString != null) { for (int i = 0; i < System.Web.HttpContext.Current.Request.QueryString.Count; i++) { getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys[i]; if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys])) { System.Web.HttpContext.Current.Response.Write("
不能包含执行语句
"); System.Web.HttpContext.Current.Response.End(); } } } if (System.Web.HttpContext.Current.Request.Form != null) { for (int i = 0; i < System.Web.HttpContext.Current.Request.Form.Count; i++) { getkeys = System.Web.HttpContext.Current.Request.Form.Keys[i]; if (getkeys == "__VIEWSTATE") continue; if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys])) { jcFAQApp.FAQ_Util.Log.WriteMessage("
注入攻击 ", System.Web.HttpContext.Current.Request.UserHostAddress.ToString()); System.Web.HttpContext.Current.Response.Write("
不能包含执行语句
"); System.Web.HttpContext.Current.Response.End(); } } } } catch { } } /// /// 分析用户请求是否正常 /// /// 传入用户提交数据 /// 返回是否含有SQL注入式攻击代码 private bool ProcessSqlStr(string Str) { bool ReturnValue = true; try { if (Str.Trim() != "") { //string SqlStr = "and ¦exec ¦insert ¦select ¦delete ¦update ¦count ¦* ¦chr ¦mid ¦master ¦truncate ¦char ¦declare"; string SqlStr = "exec ¦insert ¦select ¦delete ¦update ¦mid ¦master ¦truncate ¦declare"; string[] anySqlStr = SqlStr.Split('¦'); foreach (string ss in anySqlStr) { if (Str.ToLower().IndexOf(ss) >= 0) { ReturnValue = false; break; } } } } catch { ReturnValue = false; } return ReturnValue; } #endregion
转载于:https://www.cnblogs.com/yohen/articles/1521939.html