之乎者也,阿弥陀佛

软件设计的原则就是,化繁为简,化难为易,把人的思维集中在简单的领域,然后通过有序的组合实现复杂的逻辑。

  博客园  :: 首页  :: 新随笔  :: 联系 :: 订阅 订阅  :: 管理
一个.net程序防止sql注入的方法,方式一如下:将下面的代码加入到Global.asax文件中:
    ///<summary>
    ///防止SQL注入
    ///</summary>
    ///<param ></param>
    ///<param ></param>
    void Application_BeginRequest(Object sender, EventArgs e)
    {
        StartProcessRequest();
 
    }

#region SQL注入式攻击代码分析

    ///<summary>
    ///处理用户提交的请求
    ///</summary>
    private void StartProcessRequest()
    {
        try
        {
            string getkeys = "";
            string sqlErrorPage = "error.aspx";//转向的错误提示页面
            if (System.Web.HttpContext.Current.Request.QueryString != null)
            {
 
                for (int i = 0; i < System.Web.HttpContext.Current.Request.QueryString.Count; i++)
                {
                    getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys[i];
                    if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys]))
                    {
                        System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);
                        System.Web.HttpContext.Current.Response.End();
                    }
                }
            }
            if (System.Web.HttpContext.Current.Request.Form != null)
            {
                for (int i = 0; i < System.Web.HttpContext.Current.Request.Form.Count; i++)
                {
                    getkeys = System.Web.HttpContext.Current.Request.Form.Keys[i];
                    if (getkeys == "__VIEWSTATE") continue;
                    if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys]))
                    {
                        System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);
                        System.Web.HttpContext.Current.Response.End();
                    }
                }
           }
        }
        catch
        {
            // 错误处理: 处理用户提交信息!
        }
    }
    ///<summary>
    ///分析用户请求是否正常
    ///</summary>
    ///<param >传入用户提交数据 </param>
    ///<returns>返回是否含有SQL注入式攻击代码 </returns>
    private bool ProcessSqlStr(string Str)
    {
        bool ReturnValue = true;
        try
        {
            if (Str.Trim() != "")
            {
                string SqlStr = "and .exec .insert .select .delete .update .count .* .chr .mid .master .truncate .char .declare";
 
                string[] anySqlStr = SqlStr.Split('.');
                foreach (string ss in anySqlStr)
                {
                    if (Str.ToLower().IndexOf(ss) >= 0)
                    {
                        ReturnValue = false;
                        break;
                    }
                }
            }
        }
        catch
        {
            ReturnValue = false;
        }
        return ReturnValue;
    }
    #endregion
方法二如下:在App_Code文件夹中加一个类SqlZr.cs 其内容如下
 
public class SqlZr
{
     public SqlZr()
     {
         //
         // TODO: 在此处添加构造函数逻辑
         //
     }
    public static string DelSQLStr(string str)
    {
        if (str == null || str == "")
            return "";
        str = str.Replace(";", "");
        str = str.Replace("'", "");
        str = str.Replace("&", "");
        str = str.Replace("%20", "");
        str = str.Replace("--", "");
        str = str.Replace("==", "");
        str = str.Replace("<", "");
        str = str.Replace(">", "");
        str = str.Replace("%", "");
        str = str.Replace("+", "");
        str = str.Replace("-", "");
        str = str.Replace("=", "");
        str = str.Replace(",", "");
        return str;
    }
}
 
再将所有项目中的Request.QueryString["id"]改为:
SqlZr.DelSQLStr(Request.QueryString["id"])即可
posted on 2009-07-27 23:28  搏击的小船  阅读(746)  评论(2编辑  收藏  举报