zoukankan      html  css  js  c++  java

  • asp.net防止sql注入(转)

    void Application_BeginRequest(Object sender, EventArgs e)
    {
    StartProcessRequest();

    }

    #region SQL注入式攻击代码分析
    /// <summary>
    /// 处理用户提交的请求
    /// </summary>
    private void StartProcessRequest()
    {
    try
    {
    string str = string.Empty;
    string getkeys = "";
    string sqlErrorPage = "../ErrorPage.aspx";//转向的错误提示页面
    if (System.Web.HttpContext.Current.Request.QueryString != null)
    {

    for (int i = 0; i < System.Web.HttpContext.Current.Request.QueryString.Count; i++)
    {
    getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys[i];
    if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys]))
    {

    System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage );
    System.Web.HttpContext.Current.Response.End();
    }
    }
    }
    if (System.Web.HttpContext.Current.Request.Form != null)
    {
    for (int i = 0; i < System.Web.HttpContext.Current.Request.Form.Count; i++)
    {
    getkeys = System.Web.HttpContext.Current.Request.Form.Keys[i];
    if (getkeys == "__VIEWSTATE" || getkeys == "hidStdName") continue;
    if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys]))
    {

    System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);
    System.Web.HttpContext.Current.Response.End();
    }
    }
    }
    }
    catch
    {
    // 错误处理: 处理用户提交信息!
    }
    }
    /// <summary>
    /// 分析用户请求是否正常
    /// </summary>
    /// <param name="Str">传入用户提交数据 </param>
    /// <returns>返回是否含有SQL注入式攻击代码 </returns>
    private bool ProcessSqlStr(string Str)
    {

    bool ReturnValue = true;
    try
    {
    if (Str.Trim() != "")
    {
    string SqlStr = "and |exec |insert |select |delete |update |count | * |chr |mid |master |truncate |char |declare |'|--|drop table|truncate|creat table";

    string[] anySqlStr = SqlStr.Split('|');
    foreach (string ss in anySqlStr)
    {
    if (Str.ToLower().IndexOf(ss) >= 0)
    {
    string strcon = System.Configuration.ConfigurationSettings.AppSettings["adoConstr"].ToString();
    System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection(strcon);
    conn.Open();
    System.Data.SqlClient.SqlCommand cmd = new System.Data.SqlClient.SqlCommand("insert into n_errorstd(stdid,type)values('" + ss + "','5')", conn);
    cmd.ExecuteNonQuery();

    ReturnValue = false;
    break;
    }
    }
    }
    }
    catch
    {
    ReturnValue = false;
    }
    return ReturnValue;
    }
    #endregion 
  • 相关阅读:
    Handle/Body pattern(Wrapper pattern)
    Python: PS 滤镜--万花筒效果
    Java 工程与 Eclipse 高级用法
    更新服务
    Diskpart挂载/卸载VHD
    Ping批量函数
    Sysprep命令详解
    Hash Table构建
    Invoke-Express 执行多个批处理命令的函数
    磁盘扩容
  • 原文地址:https://www.cnblogs.com/bianlan/p/2498266.html
Copyright © 2011-2022 走看看