zoukankan      html  css  js  c++  java

  • .net sql 防注入 httpmodule

    1 新建一个类,实现IHttpModule接口

    using System;
    using System.Collections.Generic;
    using System.Linq;
    using System.Web;
    using System.Web.UI;
    using System.Web.UI.WebControls;
    using System.Text;
    namespace DotNet.Common.WebForm
    {
    /// <summary>
    /// 简单防止sql注入
    /// </summary>
    public class SqlHttpModule : IHttpModule
    {
    public void Dispose()
    {
    }
    public void Init(HttpApplication context)
    {
    context.AcquireRequestState += new EventHandler(context_AcquireRequestState);
    }
    /// <summary>
    /// 处理sql注入
    /// </summary>
    /// <param name="sender"></param>
    /// <param name="e"></param>
    private void context_AcquireRequestState(object sender, EventArgs e)
    {
    HttpContext context = ((HttpApplication)sender).Context;
    try
    {
    string key = string.Empty;
    string value = string.Empty;
    //url提交数据 get方式
    if (context.Request.QueryString != null)
    {
    for (int i = 0; i < context.Request.QueryString.Count; i++)
    {
    key = context.Request.QueryString.Keys[i];
    value = context.Server.UrlDecode(context.Request.QueryString[key]);
    if (!FilterSql(value))
    {
    throw new Exception("QueryString(GET) including dangerous sql key word!");
    }
    }
    }
    //表单提交数据 post方式
    if (context.Request.Form != null)
    {
    for (int i = 0; i < context.Request.Form.Count; i++)
    {
    key = context.Request.Form.Keys[i];
    if (key == "__VIEWSTATE") continue;
    value = context.Server.HtmlDecode(context.Request.Form[i]);
    if (!FilterSql(value))
    {
    throw new Exception("Request.Form(POST) including dangerous sql key word!");
    }
    }
    }
    }
    catch (Exception ex)
    {
    throw ex;
    }
    }
    /// <summary>
    /// 过滤非法关键字,这个可以按照项目灵活配置
    /// </summary>
    /// <param name="key"></param>
    /// <returns></returns>
    private bool FilterSql(string key)
    {
    bool flag = true;
    try
    {
    if (!string.IsNullOrEmpty(key))
    {
    //一般配置在公共的文件中,如xml文件,txt文本等等
    string sqlStr = "insert |delete |select |update |exec |varchar |drop |creat |declare |truncate |cursor |begin |open|<-- |--> ";
    string[] sqlStrArr = sqlStr.Split('|');
    foreach (string strChild in sqlStrArr)
    {
    if (key.ToUpper().IndexOf(strChild.ToUpper()) != -1)
    {
    flag = false;
    break;
    }
    }
    }
    }
    catch
    {
    flag = false;
    }
    return flag;
    }
    }
    }

    2   在web项目中应用 
    只要在web.config的httpModules节点下面添加如下配置即可。 
    <httpModules> 
    <add name="SqlHttpModule" type="DotNet.Common.WebForm.SqlHttpModule, DotNet.Common.WebForm"></add> 
    </httpModules>

    或者是:

    <httpModules> 
    <add name="SqlHttpModule" type="DotNet.Common.WebForm.SqlHttpModule"></add> 
    </httpModules>

    type的值是  公共类的命名空间+类名

    转载自http://blog.csdn.net/loveheye/article/details/5948610
  • 相关阅读:
    高精度计算
    c++ sort
    算法分类小结
    二叉树层序遍历
    clion windows c++环境配置 mingw
    kafka,filebeat 配置
    centos7 源码安装mysql5.7
    如何优雅的生成及遍历python嵌套字典
    Java Swing 绝对布局管理方法,null布局【图】
    python3.4+pymssql 中文乱码问题解决
  • 原文地址:https://www.cnblogs.com/luyesql/p/4228535.html
Copyright © 2011-2022 走看看