防止SQL注入
Code SQL注入式攻击代码分析#region SQL注入式攻击代码分析 
/**//// <summary> 
/// 处理用户提交的请求 
/// </summary> private void StartProcessRequest() 
{ string getkeys = ""; string sqlErrorPage = "web_error.aspx";//转向的错误提示页面 if (System.Web.HttpContext.Current.Request.QueryString != null) { for (int i = 0; i < System.Web.HttpContext.Current.Request.QueryString.Count; i++) { getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys[i]; if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys])) { //System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage + "?code=1&str=" + System.Web.HttpContext.Current.Request.QueryString[getkeys]); System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage + "?code=1&str=InvalidRequest"); return; //System.Web.HttpContext.Current.Response.End(); } } } } /**//// <summary> /// 分析用户请求是否正常 /// </summary> /// <param name="Str">传入用户提交数据 </param> /// <returns>返回是否含有SQL注入式攻击代码 </returns> private bool ProcessSqlStr(string Str) { bool ReturnValue = true; try { if (Str.Trim() != "") { string SqlStr = "and ¦exec ¦insert ¦select ¦delete ¦update ¦count ¦* ¦' ¦chr ¦mid ¦master ¦truncate ¦char ¦declare"; string[] anySqlStr = SqlStr.Split('¦'); foreach (string ss in anySqlStr) { if (Str.ToLower().IndexOf(ss.Trim()) >= 0) { ReturnValue = false; break; } } } } catch { ReturnValue = false; } return ReturnValue; } 
#endregion