zoukankan      html  css  js  c++  java

  • ASP.NETURL地址防注入过滤问题

    首先在Global.asax.cs里面配置一个 提交事件  不用过滤所有的地址 过滤 GET POST的地址就行了

    /// <summary>
/// 防止sql注入
/// </summary>
/// <param name="sender"></param>
/// <param name="e"></param>
protected void Application_BeginRequest(Object sender, EventArgs e)
{
//过滤Post参数
string url = this.Request.Url.ToString();
if(this.Request.Form.Count>0)
{
string filterUrl = FilterUrl(url);
if (!url.Equals(filterUrl))
{
this.Response.Redirect(filterUrl);
}
}
//过滤Get参数
if(this.Request.QueryString.Count>0)
{
string filterUrl = FilterUrl(url);
if (!url.Equals(filterUrl))
{
this.Response.Redirect(filterUrl);
}
}
}

 
     

/// <summary>
/// 过滤特殊字符
/// </summary>
/// <param name="url"></param>
/// <returns></returns>
private string FilterUrl(string url)
{
string replaceStr = url;
if (!string.IsNullOrEmpty(url))
{
replaceStr = replaceStr.ToLower();
replaceStr = replaceStr.Replace("<", "");
replaceStr = replaceStr.Replace(">", "");
replaceStr = replaceStr.Replace("|", "");
replaceStr = replaceStr.Replace(""", "");
replaceStr = replaceStr.Replace("'", "");
replaceStr = replaceStr.Replace("%", "");
replaceStr = replaceStr.Replace(";", "");
replaceStr = replaceStr.Replace("(", "");
replaceStr = replaceStr.Replace(")", "");
replaceStr = replaceStr.Replace("+", "");
replaceStr = replaceStr.Replace("script", "");
replaceStr = replaceStr.Replace("alert", "");
replaceStr = replaceStr.Replace("select", "");
replaceStr = replaceStr.Replace("update", "");
replaceStr = replaceStr.Replace("insert", "");
replaceStr = replaceStr.Replace("like", "");
replaceStr = replaceStr.Replace("applet", "");
replaceStr = replaceStr.Replace("body", "");
replaceStr = replaceStr.Replace("embed", "");
replaceStr = replaceStr.Replace("frame", "");
replaceStr = replaceStr.Replace("html", "");
replaceStr = replaceStr.Replace("iframe", "");
replaceStr = replaceStr.Replace("img", "");
replaceStr = replaceStr.Replace("style", "");
replaceStr = replaceStr.Replace("layer", "");
replaceStr = replaceStr.Replace("link", "");
replaceStr = replaceStr.Replace("ilayer", "");
replaceStr = replaceStr.Replace("meta", "");
replaceStr = replaceStr.Replace("object", "");
}
return replaceStr;
}

    下面是图解:
  • 相关阅读:
    css3
    css3
    npm 安装包无法继续下载? 卡住
    tcp/ip协议中的SYN, ACK的数值变化
    【转】6 Reasons Why JavaScript’s Async/Await Blows Promises Away (Tutorial)
    ES6 中 Symbol.split的用法
    Why does Typescript use the keyword “export” to make classes and interfaces public?
    es6中的import,export浏览器已经支持
    Understanding the JavaScript Engine—— two phase
    【转】js-ES6学习笔记-Symbol
  • 原文地址:https://www.cnblogs.com/wt-vip/p/5779344.html
Copyright © 2011-2022 走看看