zoukankan      html  css  js  c++  java
  • .net程序防止sql注入源代码(转)

    一个.net程序防止sql注入的方法,方式一如下:将下面的代码加入到Global.asax文件中:
        ///<summary>
        ///防止SQL注入
        ///</summary>
        ///<param ></param>
        ///<param ></param>
        void Application_BeginRequest(Object sender, EventArgs e)
        {
            StartProcessRequest();
     
        }

    #region SQL注入式攻击代码分析

        ///<summary>
        ///处理用户提交的请求
        ///</summary>
        private void StartProcessRequest()
        {
            try
            {
                string getkeys = "";
                string sqlErrorPage = "error.aspx";//转向的错误提示页面
                if (System.Web.HttpContext.Current.Request.QueryString != null)
                {
     
                    for (int i = 0; i < System.Web.HttpContext.Current.Request.QueryString.Count; i++)
                    {
                        getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys[i];
                        if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys]))
                        {
                            System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);
                            System.Web.HttpContext.Current.Response.End();
                        }
                    }
                }
                if (System.Web.HttpContext.Current.Request.Form != null)
                {
                    for (int i = 0; i < System.Web.HttpContext.Current.Request.Form.Count; i++)
                    {
                        getkeys = System.Web.HttpContext.Current.Request.Form.Keys[i];
                        if (getkeys == "__VIEWSTATE") continue;
                        if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys]))
                        {
                            System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);
                            System.Web.HttpContext.Current.Response.End();
                        }
                    }
               }
            }
            catch
            {
                // 错误处理: 处理用户提交信息!
            }
        }
        ///<summary>
        ///分析用户请求是否正常
        ///</summary>
        ///<param >传入用户提交数据 </param>
        ///<returns>返回是否含有SQL注入式攻击代码 </returns>
        private bool ProcessSqlStr(string Str)
        {
            bool ReturnValue = true;
            try
            {
                if (Str.Trim() != "")
                {
                    string SqlStr = "and .exec .insert .select .delete .update .count .* .chr .mid .master .truncate .char .declare";
     
                    string[] anySqlStr = SqlStr.Split('.');
                    foreach (string ss in anySqlStr)
                    {
                        if (Str.ToLower().IndexOf(ss) >= 0)
                        {
                            ReturnValue = false;
                            break;
                        }
                    }
                }
            }
            catch
            {
                ReturnValue = false;
            }
            return ReturnValue;
        }
        #endregion
    方法二如下:在App_Code文件夹中加一个类SqlZr.cs 其内容如下
     
    public class SqlZr
    {
         public SqlZr()
         {
             //
             // TODO: 在此处添加构造函数逻辑
             //
         }
        public static string DelSQLStr(string str)
        {
            if (str == null || str == "")
                return "";
            str = str.Replace(";", "");
            str = str.Replace("'", "");
            str = str.Replace("&", "");
            str = str.Replace("%20", "");
            str = str.Replace("--", "");
            str = str.Replace("==", "");
            str = str.Replace("<", "");
            str = str.Replace(">", "");
            str = str.Replace("%", "");
            str = str.Replace("+", "");
            str = str.Replace("-", "");
            str = str.Replace("=", "");
            str = str.Replace(",", "");
            return str;
        }
    }
     
    再将所有项目中的Request.QueryString["id"]改为:
    SqlZr.DelSQLStr(Request.QueryString["id"])即可
  • 相关阅读:
    db2死锁解决
    Cannot create JDBC driver of class '' for connect URL 'null'问题解决
    转 maven 教程一 入门 (http://wentao365.iteye.com/blog/903396)
    db2用户密码不合法
    oracle死锁处理方法
    myeclipse修改jsp页面无反应
    oracle函数方法(虚拟表操作)
    jQuery css选择器 截图
    uwsgi和nginx 使用和配置
    nginx+uwsgi+django部署各模块作用
  • 原文地址:https://www.cnblogs.com/guanjie20/p/1532539.html
Copyright © 2011-2022 走看看