什么叫SQL注入攻击,我就不多说了,这里只讲防范代码。
1、先在要防范的文件Page_Load事件里写调用语句:
protected void Page_Load(object sender, EventArgs e)
{
SqlInject myCheck = new SqlInject(this.Request);
myCheck.CheckSqlInject();
}
2、SqlInject是实现类,具体是在App_code文件夹里定义一个类文件SqlInject.cs,类的实现代码如下:
using System;
using System.Data;
using System.Configuration;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;
using System.Data.OleDb;
using System.Text.RegularExpressions;
///
public class SqlInject
{
private const string StrKeyWord =
@"select|insert|delete|from|count(|drop
table|update|truncate|asc(|mid(|char(|xp_cmdshell|exec|master|net
local group administrators|net user|or|and";
private const string StrRegex = @";|,|/|(|)|[|]|{|}|@|*|'|!";
private HttpRequest request;
public SqlInject(System.Web.HttpRequest _request)
{
this.request = _request;
}
public void CheckSqlInject()
{
if (CheckRequestQuery() || CheckRequestForm())
{
ShowErr();
}
else
{
return;
}
}
private void ShowErr()
{
string msg = @"请不要尝试未授权之入侵检测!" + @"
";
msg += @"操作IP:" + request.ServerVariables["REMOTE_ADDR"] + @"
";
msg += @"操作时间:" + DateTime.Now + @"
";
msg += @"页面:" + request.ServerVariables["URL"].ToLower() +
request.QueryString.ToString() + @"
";
msg += @"关闭";
System.Web.HttpContext.Current.Response.Clear();
System.Web.HttpContext.Current.Response.Write(msg);
System.Web.HttpContext.Current.Response.End();
}
public static string KeyWord
{
get {
return StrKeyWord;
}
}
public static string RegexString
{
get {
return StrRegex;
}
}
///
///检查字符串中是否包含Sql注入关键字
/// 被检查的字符串
/// 如果包含注入true;否则返回false
///
private static bool CheckKeyWord(string _key)
{
string[] pattenString = StrKeyWord.Split('|');
string[] pattenRegex = StrRegex.Split('|');
foreach (string sqlParam in pattenString)
{
if (_key.Contains(sqlParam + " ") || _key.Contains(" " +
sqlParam))
{
return true;
}
}
foreach (string sqlParam in pattenRegex)
{
if (_key.Contains(sqlParam))
{
return true;
}
}
return false;
}
///
///检查URL中是否包含Sql注入
/// 当前HttpRequest对象
/// 如果包含注入true;否则返回false
///
public bool CheckRequestQuery()
{
if (request.QueryString.Count > 0)
{
foreach (string sqlParam in this.request.QueryString)
{
if (sqlParam == "__VIEWSTATE") continue;
if (sqlParam == "__EVENTVALIDATION") continue;
if (CheckKeyWord(request.QueryString[sqlParam].ToLower()))
{
return true;
}
}
}
return false;
}
///
///检查提交的表单中是否包含Sql注入
/// 当前HttpRequest对象
/// 如果包含注入true;否则返回false
///
public bool CheckRequestForm()
{
if (request.Form.Count > 0)
{
foreach (string sqlParam in this.request.Form)
{
if (sqlParam == "__VIEWSTATE") continue;
if (sqlParam == "__EVENTVALIDATION") continue;
if (CheckKeyWord(request.Form[sqlParam]))
{
return true;
}
}
}
return false;
}
}