过滤网址和输入框中的特殊字符,防止sql注入
- using System;
- using System.Data;
- using System.Configuration;
- using System.Web;
- using System.Web.Security;
- using System.Web.UI;
- using System.Web.UI.HtmlControls;
- using System.Web.UI.WebControls;
- using System.Web.UI.WebControls.WebParts;
- /// <summary>
- ///cedar 的摘要说明
- /// </summary>
- public class cedar:IHttpModule
- {
- public cedar()
- {
- //
- //TODO: 在此处添加构造函数逻辑
- //
- }
- public void Dispose()
- {
- }
- public void Init(HttpApplication application)
- {
- application.AcquireRequestState += new EventHandler(application_AcquireRequestState);
- }
- private void application_AcquireRequestState(object sender, EventArgs e)
- {
- HttpContext content = ((HttpApplication)sender).Context;
- try
- {
- string sqlErrorPage = "default.html";//转到默认页面
- string keyValue = string.Empty;
- string requestUrl = content.Request.Path.ToString();
- if (content.Request.QueryString != null)
- {
- foreach (string val in content.Request.QueryString)
- {
- keyValue= content.Server.UrlDecode(content.Request.QueryString[val]);
- if (!processSqlStr(keyValue))
- {
- content.Response.Write("您访问的页面发生错误,此问题我们已经记录并尽快改善,请稍后再试。<br><a href=""+sqlErrorPage+"" mce_href=""+sqlErrorPage+"">转到首页</a>");
- content.Response.End();
- break;
- }
- }
- }
- if (content.Request.Form != null)
- {
- foreach(string val in content.Request.Form)
- {
- keyValue = content.Server.HtmlDecode(content.Request.Form[val]);
- if (keyValue == "_ViEWSTATE") continue;
- if (!processSqlStr(keyValue))
- {
- content.Response.Write("您访问的页面发生错误,此问题我们已经记录并尽快改善,请稍后再试。");
- content.Response.End();
- break;
- }
- }
- }
- }
- catch (Exception ex)
- {
- }
- }
- private bool processSqlStr(string str)
- {
- bool returnValue = true;
- try
- {
- if (str.Trim() != "")
- {
- //取得webconfig中过滤字符串
- string sqlStr = ConfigurationManager.AppSettings["FilterSql"].Trim();
- //string sqlStr = "declare |exec|varchar |cursor |begin |open |drop |creat |select |truncate";
- string[] sqlStrs = sqlStr.Split('|');
- foreach (string ss in sqlStrs)
- {
- if (str.ToLower().IndexOf(ss) >= 0)
- {
- sqlStr = ss;
- returnValue = false;
- break;
- }
- }
- }
- }
- catch
- {
- returnValue = false;
- }
- return returnValue;
- }
- }
-
在web.config中添加以下:
<appSettings>
<add key="FilterSql" value="declare |exec|varchar |cursor |begin |open |drop |creat |select |truncate "/>
</appSettings><httpModules>
<add type="cedar" name="cedar"/>
</httpModules>