usingSystem;usingSystem.Data;usingSystem.Configuration;usingSystem.Web;usingSystem.Web.Security;usingSystem.Web.UI;usingSystem.Web.UI.WebControls;usingSystem.Web.UI.WebControls.WebParts;usingSystem.Web.UI.HtmlControls;usingSystem.Text.RegularExpressions;usingSystem.Collections.Specialized;namespaceSqlIn
{//SqlInPost 的摘要说明///publicclassSqlInPost:IHttpHandlerFactory
{publicSqlInPost()
{TODO: 在此处添加构造函数逻辑//}publicvirtualIHttpHandler GetHandler(HttpContext context,stringrequestType,stringurl,stringpathTranslated)
{//得到编译实例(通过反射)PageHandlerFactory factory=(PageHandlerFactory)Activator.CreateInstance(typeof(PageHandlerFactory),true);
IHttpHandler handler=factory.GetHandler(context, requestType, url, pathTranslated);//过滤字符串if(requestType=="POST")
{
Page page=handlerasPage;if(page!=null)
page.PreLoad+=newEventHandler(FilterStrFactoryHandler_PreLoad);
}if(requestType=="GET")
{
Page page=handlerasPage;if(page!=null)
page.PreLoad+=newEventHandler(FilterStrFactoryHandler_PreLoad1);
}//返回returnhandler;
}//过滤TextBox、Input和Textarea中的特殊字符voidFilterStrFactoryHandler_PreLoad(objectsender, EventArgs e)
{try{
Page page=senderasPage;
NameValueCollection postData=page.Request.Form;foreach(stringpostKeyinpostData)
{
Control ctl=page.FindControl(postKey);if(ctlasTextBox!=null)
{
((TextBox)ctl).Text=Common.InputText(((TextBox)ctl).Text);continue;
}if(ctlasHtmlInputControl!=null)
{
((HtmlInputControl)ctl).Value=Common.InputText(((HtmlInputControl)ctl).Value);continue;
}if(ctlasHtmlTextArea!=null)
{
((HtmlTextArea)ctl).Value=Common.InputText(((HtmlTextArea)ctl).Value);continue;
}
}
}catch{ }
}//过滤QueryStringvoidFilterStrFactoryHandler_PreLoad1(objectsender, EventArgs e)
{try{
Page page=senderasPage;
NameValueCollection QueryNV=page.Request.QueryString;boolisSafe=true;for(inti=0; i
{if(!IsSafeString(QueryNV.Get(i)))
{
isSafe=false;break;
}
}if(!isSafe)
{
page.Response.Write("非法传值!");
page.Response.End();
}
}catch{ }
}publicvirtualvoidReleaseHandler(IHttpHandler handler)
{
}//判断是否为安全字符串publicboolIsSafeString(stringp)
{boolret=true;string[] UnSafeArray=newstring[22];
UnSafeArray[0]="'";
UnSafeArray[1]="xp_cmdshell";
UnSafeArray[2]="exec master.dbo.xp_cmdshell";
UnSafeArray[3]="net localgroup administrators";
UnSafeArray[4]="delete from";
UnSafeArray[5]="net user";
UnSafeArray[6]="/add";
UnSafeArray[7]="drop table";
UnSafeArray[8]="update";
UnSafeArray[9]="select";
UnSafeArray[10]=";and";
UnSafeArray[11]=";exec";
UnSafeArray[12]=";create";
UnSafeArray[13]=";insert";
UnSafeArray[14]="and";
UnSafeArray[15]="exec";
UnSafeArray[16]="create";
UnSafeArray[17]="insert";
UnSafeArray[18]="master.dbo";
UnSafeArray[19]=";--";
UnSafeArray[20]="--";
UnSafeArray[21]="1=";foreach(stringsinUnSafeArray)
{if(p.ToLower().IndexOf(s)>-1)
{
ret=false;break;
}
}returnret;
}
}publicclassCommon
{publicstaticstringInputText(stringtext)
{
text=text.Trim();if(string.IsNullOrEmpty(text))returnstring.Empty;
text=Regex.Replace(text,"[\\s]{2,}","");//two or more spacestext=Regex.Replace(text,"()+|()","\n");//
text=Regex.Replace(text,"(\\s*&[n|N][b|B][s|S][p|P];\\s*)+","");// text=Regex.Replace(text,"",string.Empty);//any other tagstext=text.Replace("'","''");
text=text.Replace("xp_cmdshell","");
text=text.Replace("exec master.dbo.xp_cmdshell","");
text=text.Replace("net localgroup administrators","");
text=text.Replace("delete from","");
text=text.Replace("net user","");
text=text.Replace("/add","");
text=text.Replace("drop table","");
text=text.Replace("update","");returntext;
}
}
}