asp.net防止mysql_ASP.NET利用httpHandler 防止SQL注入！

usingSystem;usingSystem.Data;usingSystem.Configuration;usingSystem.Web;usingSystem.Web.Security;usingSystem.Web.UI;usingSystem.Web.UI.WebControls;usingSystem.Web.UI.WebControls.WebParts;usingSystem.Web.UI.HtmlControls;usingSystem.Text.RegularExpressions;usingSystem.Collections.Specialized;namespaceSqlIn

{//SqlInPost 的摘要说明///publicclassSqlInPost:IHttpHandlerFactory

{publicSqlInPost()

{TODO: 在此处添加构造函数逻辑//}publicvirtualIHttpHandler GetHandler(HttpContext context,stringrequestType,stringurl,stringpathTranslated)

{//得到编译实例(通过反射)PageHandlerFactory factory=(PageHandlerFactory)Activator.CreateInstance(typeof(PageHandlerFactory),true);

IHttpHandler handler=factory.GetHandler(context, requestType, url, pathTranslated);//过滤字符串if(requestType=="POST")

{

Page page=handlerasPage;if(page!=null)

page.PreLoad+=newEventHandler(FilterStrFactoryHandler_PreLoad);

}if(requestType=="GET")

{

Page page=handlerasPage;if(page!=null)

page.PreLoad+=newEventHandler(FilterStrFactoryHandler_PreLoad1);

}//返回returnhandler;

}//过滤TextBox、Input和Textarea中的特殊字符voidFilterStrFactoryHandler_PreLoad(objectsender, EventArgs e)

{try{

Page page=senderasPage;

NameValueCollection postData=page.Request.Form;foreach(stringpostKeyinpostData)

{

Control ctl=page.FindControl(postKey);if(ctlasTextBox!=null)

{

((TextBox)ctl).Text=Common.InputText(((TextBox)ctl).Text);continue;

}if(ctlasHtmlInputControl!=null)

{

((HtmlInputControl)ctl).Value=Common.InputText(((HtmlInputControl)ctl).Value);continue;

}if(ctlasHtmlTextArea!=null)

{

((HtmlTextArea)ctl).Value=Common.InputText(((HtmlTextArea)ctl).Value);continue;

}

}

}catch{ }

}//过滤QueryStringvoidFilterStrFactoryHandler_PreLoad1(objectsender, EventArgs e)

{try{

Page page=senderasPage;

NameValueCollection QueryNV=page.Request.QueryString;boolisSafe=true;for(inti=0; i

{if(!IsSafeString(QueryNV.Get(i)))

{

isSafe=false;break;

}

}if(!isSafe)

{

page.Response.Write("非法传值!");

page.Response.End();

}

}catch{ }

}publicvirtualvoidReleaseHandler(IHttpHandler handler)

{

}//判断是否为安全字符串publicboolIsSafeString(stringp)

{boolret=true;string[] UnSafeArray=newstring[22];

UnSafeArray[0]="'";

UnSafeArray[1]="xp_cmdshell";

UnSafeArray[2]="exec master.dbo.xp_cmdshell";

UnSafeArray[3]="net localgroup administrators";

UnSafeArray[4]="delete from";

UnSafeArray[5]="net user";

UnSafeArray[6]="/add";

UnSafeArray[7]="drop table";

UnSafeArray[8]="update";

UnSafeArray[9]="select";

UnSafeArray[10]=";and";

UnSafeArray[11]=";exec";

UnSafeArray[12]=";create";

UnSafeArray[13]=";insert";

UnSafeArray[14]="and";

UnSafeArray[15]="exec";

UnSafeArray[16]="create";

UnSafeArray[17]="insert";

UnSafeArray[18]="master.dbo";

UnSafeArray[19]=";--";

UnSafeArray[20]="--";

UnSafeArray[21]="1=";foreach(stringsinUnSafeArray)

{if(p.ToLower().IndexOf(s)>-1)

{

ret=false;break;

}

}returnret;

}

}publicclassCommon

{publicstaticstringInputText(stringtext)

{

text=text.Trim();if(string.IsNullOrEmpty(text))returnstring.Empty;

text=Regex.Replace(text,"[\\s]{2,}","");//two or more spacestext=Regex.Replace(text,"()+|()","\n");//
text=Regex.Replace(text,"(\\s*&[n|N][b|B][s|S][p|P];\\s*)+","");// text=Regex.Replace(text,"",string.Empty);//any other tagstext=text.Replace("'","''");

text=text.Replace("xp_cmdshell","");

text=text.Replace("exec master.dbo.xp_cmdshell","");

text=text.Replace("net localgroup administrators","");

text=text.Replace("delete from","");

text=text.Replace("net user","");

text=text.Replace("/add","");

text=text.Replace("drop table","");

text=text.Replace("update","");returntext;

}

}

}