防止sql注入
•using System;
•using System.Collections.Generic;
•using System.Linq;
•using System.Web;
•
•/// <summary>
•///Class1 的摘要说明
•/// </summary>
•publicclass SQLInjectionHelper
•{
• /// <summary>
• /// 获取Get的数据
• /// </summary>
• publicstaticbool ValidUrlGetData()
• {
• bool result = false;
•
• for (int i = 0; i < HttpContext.Current.Request.QueryString.Count; i++)
• {
• result = ValidData(HttpContext.Current.Request.QueryString[i].ToString());
• if (result)
• {
• //如果检测存在漏洞
• break;
• }
• }
• return result;
• }
•
• /// <summary>
• /// 获取Post的数据
• /// </summary>
• publicstaticbool ValidUrlPostData()
• {
• bool result = false;
•
• for (int i = 0; i < HttpContext.Current.Request.Form.Count; i++)
• {
• result = ValidData(HttpContext.Current.Request.Form[i].ToString());
• if (result)
• {
• //如果检测存在漏洞
• break;
• }
• }
• return result;
• }
•
• /// <summary>
• /// 验证是否存在注入代码
• /// </summary>
• /// <param name="inputData"></param>
• publicstaticbool ValidData(string inputData)
• {
• //里面定义恶意字符集合
• string[] checkWord = { "and", "exec", "insert", "select", "delete", "update", "count", "from", "drop", "asc", "char", "*", "%", ";", ":", "\'", "\"", "chr", "mid", "master", "truncate", "char", "declare", "SiteName", "net user", "xp_cmdshell", "/add", "exec master.dbo.xp_cmdshell", "net localgroup administrators" };
• if (inputData == null || inputData == "")
• {
• returnfalse;
• }
• else
• {
• foreach (string s in checkWord)
• {
• //验证inputData是否包含恶意集合
• if (inputData.ToString().ToLower().IndexOf(s) > -1)
• {
• returntrue;
• }
• else
• {
• continue;
• }
• }
• returnfalse;
• }
•
• }
•}
•1.再在global.asax的BeginRequest中
再在global.asax的BeginRequest中
1.<pre class="html" name="code">bool result = false;
2.
3. if (Request.RequestType.ToUpper() == "POST")
4. {
5. result = SQLInjectionHelper.ValidUrlPostData();//Post数据检查
6. }
7. else
8. {
9. result = SQLInjectionHelper.ValidUrlGetData();//Get数据检查
10. }
11.
12. if (result)
13. {
14. Response.Write("您提交的数据有恶意字符!");
15. Response.End();
16. }