【转载】asp.net整站防sql注入
一:一个方法
/// <summary>
///SQL注入过滤
/// </summary>
/// <param name="InText">要过滤的字符串</param>
/// <returns>如果参数存在不安全字符,则返回true</returns>
public static bool SqlFilter2(string InText)
{
string word = "and|exec|insert|select|delete|update|chr|mid|master|or|truncate|char|declare|join|'";
if (InText == null)
return false;
foreach (string str_t in word.Split('|'))
{
if ((InText.ToLower().IndexOf(str_t + " ") > -1) || (InText.ToLower().IndexOf(" " + str_t) > -1) || (InText.ToLower().IndexOf(str_t) > -1))
{
return true;
}
}
return false;
}
二:global.ascx 中的一个方法
/// <summary>
/// 当有数据时交时,触发事件
/// </summary>
/// <param name="sender"></param>
/// <param name="e"></param>
protected void Application_BeginRequest(Object sender, EventArgs e)
{
//遍历Post参数,隐藏域除外
foreach (string str_t in this.Request.Form)
{
if (str_t == "__VIEWSTATE") continue;
this.goErr(this.Request.Form[str_t].ToString());
}
//遍历Get参数。
foreach (string str_t in this.Request.QueryString)
{
this.goErr(this.Request.QueryString[str_t].ToString());
}
}
三:global.asax中的另外一方法
/// <summary>
/// 校验参数是否存在SQL字符
/// </summary>
/// <param name="tm"></param>
private void goErr(string tm)
{
if (wenlong.function.func.SqlFilter2(tm))
this.Response.Redirect("/error");
//Response.Redirect();
}