zoukankan      html  css  js  c++  java

  • .net防止数据注入

    把以下代码放入global.asax
            protected void Application_BeginRequest(Object sender, EventArgs e)
                {
                StartProcessRequest();
            }
            private void StartProcessRequest()
                {
                    try
                    {
                        string sqlErrorPage = "Error.aspx";//转向的错误提示页面 
                    if (System.Web.HttpContext.Current.Request.QueryString != null)
                        {

                            string url = Request.Url.ToString();
                            if (!ProcessSqlStr(url))
                            {
                            Response.Redirect(sqlErrorPage);
                        }

                    }
                        if (System.Web.HttpContext.Current.Request.Form != null)
                        {
                            System.Collections.Specialized.NameObjectCollectionBase.KeysCollection getkeys     = System.Web.HttpContext.Current.Request.Form.Keys;
                        
                                for (int j = 0; j < getkeys.Count; j++)
                                {
                                
                                    if (getkeys[j] == "__VIEWSTATE"continue;
                                    if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys[j]]))
                                    {
                                    System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);
                                    System.Web.HttpContext.Current.Response.End();
                                }

                            }
                    }
                }
                    catch
                    {
                        // 错误处理: 处理用户提交信息! 
                }
            }
                private bool ProcessSqlStr(string Str)
                {
                    bool ReturnValue = true;
                    try
                    {
                        if (Str.Trim() != "")
                        {
                            string SqlStr = "and¦exec¦insert¦select¦delete¦update¦count¦*¦chr¦mid¦master¦truncate¦char¦declare";

                            string[] anySqlStr = SqlStr.Split('¦');
                            foreach (string ss in anySqlStr)
                            {
                                if (Str.ToLower().IndexOf(ss) >= 0)
                                {
                                ReturnValue     = false;
                                    break;
                            }
                        }
                    }
                }
                    catch
                    {
                    ReturnValue     = false;
                }
                    return ReturnValue;
            }
  • 相关阅读:
    Django——基于类的视图源码分析 三
    python——深刻理解Python中的元类(metaclass)
    Django——静态文件配置
    Django——如何使用Template以及如何向template传递变量
    Django—— 缓存框架
    Django——META内部类选项
    Django——20141014深入理解Django HttpRequest HttpResponse的类和实例
    Django——如何在Django模板中注入全局变量?——part2
    Mysql查找如何判断字段是否包含某个字符串
    Mysql分表和分区的区别
  • 原文地址:https://www.cnblogs.com/weichuo/p/1205891.html
Copyright © 2011-2022 走看看