zoukankan      html  css  js  c++  java

  • asp.net防止sql注入(转)

    void Application_BeginRequest(Object sender, EventArgs e)
    {
    StartProcessRequest();

    }

    #region SQL注入式攻击代码分析
    /// <summary>
    /// 处理用户提交的请求
    /// </summary>
    private void StartProcessRequest()
    {
    try
    {
    string str = string.Empty;
    string getkeys = "";
    string sqlErrorPage = "../ErrorPage.aspx";//转向的错误提示页面
    if (System.Web.HttpContext.Current.Request.QueryString != null)
    {

    for (int i = 0; i < System.Web.HttpContext.Current.Request.QueryString.Count; i++)
    {
    getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys[i];
    if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys]))
    {

    System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage );
    System.Web.HttpContext.Current.Response.End();
    }
    }
    }
    if (System.Web.HttpContext.Current.Request.Form != null)
    {
    for (int i = 0; i < System.Web.HttpContext.Current.Request.Form.Count; i++)
    {
    getkeys = System.Web.HttpContext.Current.Request.Form.Keys[i];
    if (getkeys == "__VIEWSTATE" || getkeys == "hidStdName") continue;
    if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys]))
    {

    System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);
    System.Web.HttpContext.Current.Response.End();
    }
    }
    }
    }
    catch
    {
    // 错误处理: 处理用户提交信息!
    }
    }
    /// <summary>
    /// 分析用户请求是否正常
    /// </summary>
    /// <param name="Str">传入用户提交数据 </param>
    /// <returns>返回是否含有SQL注入式攻击代码 </returns>
    private bool ProcessSqlStr(string Str)
    {

    bool ReturnValue = true;
    try
    {
    if (Str.Trim() != "")
    {
    string SqlStr = "and |exec |insert |select |delete |update |count | * |chr |mid |master |truncate |char |declare |'|--|drop table|truncate|creat table";

    string[] anySqlStr = SqlStr.Split('|');
    foreach (string ss in anySqlStr)
    {
    if (Str.ToLower().IndexOf(ss) >= 0)
    {
    string strcon = System.Configuration.ConfigurationSettings.AppSettings["adoConstr"].ToString();
    System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection(strcon);
    conn.Open();
    System.Data.SqlClient.SqlCommand cmd = new System.Data.SqlClient.SqlCommand("insert into n_errorstd(stdid,type)values('" + ss + "','5')", conn);
    cmd.ExecuteNonQuery();

    ReturnValue = false;
    break;
    }
    }
    }
    }
    catch
    {
    ReturnValue = false;
    }
    return ReturnValue;
    }
    #endregion 
  • 相关阅读:
    VS2010安装Nuget提示签名不匹配错误解决办法
    vs2010不能正确加载 'VSTS for Database Professionals Sql Server Datatier Application'包
    [改编]如何理解.NET Framework(CLI,CLS,CTS,CLR,FCL,BCL)
    [导入]google翻译 lcs
    [导入]Visual SourceSafe中的权限 lcs
    [导入]EnterpriseLibrary 3.1 第一次下载.安装,读取数据库,绑定到控件成功. lcs
    [导入]在缓存时使用SqlCacheDependency lcs
    windows 2008 成功 激活 lcs
    [导入]DIV弹出对话框 lcs
    开发小记4 lcs
  • 原文地址:https://www.cnblogs.com/bianlan/p/2498266.html
Copyright © 2011-2022 走看看