zoukankan      html  css  js  c++  java
  • .net防止数据注入

    把以下代码放入global.asax
            protected void Application_BeginRequest(Object sender, EventArgs e)
            
    {
                StartProcessRequest();
            }
            private void StartProcessRequest()
            
    {
                
    try
                
    {
                    
    string sqlErrorPage = "Error.aspx";//转向的错误提示页面 
                    if (System.Web.HttpContext.Current.Request.QueryString != null)
                    
    {

                        
    string url = Request.Url.ToString();
                        
    if (!ProcessSqlStr(url))
                        
    {
                            Response.Redirect(sqlErrorPage);
                        }


                    }

                    
    if (System.Web.HttpContext.Current.Request.Form != null)
                    
    {
                            System.Collections.Specialized.NameObjectCollectionBase.KeysCollection getkeys 
    = System.Web.HttpContext.Current.Request.Form.Keys;
                        
                            
    for (int j = 0; j < getkeys.Count; j++)
                            
    {
                                
                                
    if (getkeys[j] == "__VIEWSTATE"continue;
                                
    if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys[j]]))
                                
    {
                                    System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);
                                    System.Web.HttpContext.Current.Response.End();
                                }


                            }

                    }

                }

                
    catch
                
    {
                    
    // 错误处理: 处理用户提交信息! 
                }

            }

            
    private bool ProcessSqlStr(string Str)
            
    {
                
    bool ReturnValue = true;
                
    try
                
    {
                    
    if (Str.Trim() != "")
                    
    {
                        
    string SqlStr = "and¦exec¦insert¦select¦delete¦update¦count¦*¦chr¦mid¦master¦truncate¦char¦declare";

                        
    string[] anySqlStr = SqlStr.Split('¦');
                        
    foreach (string ss in anySqlStr)
                        
    {
                            
    if (Str.ToLower().IndexOf(ss) >= 0)
                            
    {
                                ReturnValue 
    = false;
                                
    break;
                            }

                        }

                    }

                }

                
    catch
                
    {
                    ReturnValue 
    = false;
                }

                
    return ReturnValue;
            }
  • 相关阅读:
    Django——基于类的视图源码分析 三
    python——深刻理解Python中的元类(metaclass)
    Django——静态文件配置
    Django——如何使用Template以及如何向template传递变量
    Django—— 缓存框架
    Django——META内部类选项
    Django——20141014深入理解Django HttpRequest HttpResponse的类和实例
    Django——如何在Django模板中注入全局变量?——part2
    Mysql查找如何判断字段是否包含某个字符串
    Mysql分表和分区的区别
  • 原文地址:https://www.cnblogs.com/weichuo/p/1205891.html
Copyright © 2011-2022 走看看