asp.net防注入代码

///  <summary>          

/// 在 Application_BeginRequest中加入函数StartProcessRequest()        

///  </summary>          

protected void Application_BeginRequest(Object sender, EventArgs e)        {                     StartProcessRequest();        

}

#region SQL注入式攻击代码分析          

///  <summary>          

/// 处理用户提交的请求         

 ///  </summary>          

private void StartProcessRequest()          

{              

try              

{                  

string getkeys = "";                  

string sqlErrorPage = "/default.aspx";//如果有非法参数,转向的错误提示页面                  

if (System.Web.HttpContext.Current.Request.QueryString != null)                  

{                      

for (int i = 0; i  < System.Web.HttpContext.Current.Request.QueryString.Count; i++)                      

{                          

getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys;                          

if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys]))                          

{                              

System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);                              

System.Web.HttpContext.Current.Response.End();                          

}                      

}                  

}                  

if (System.Web.HttpContext.Current.Request.Form != null)                  

{                      

for (int i = 0; i  < System.Web.HttpContext.Current.Request.Form.Count; i++)                      

{                          

getkeys = System.Web.HttpContext.Current.Request.Form.Keys;                         

 if (getkeys == "__VIEWSTATE") continue;                         

 if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys]))                          

{                              

System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);                              

System.Web.HttpContext.Current.Response.End();                          

}                      

}                  

}                                

 if (System.Web.HttpContext.Current.Request.Cookies != null)                  

{                      

for (int i = 0; i  < System.Web.HttpContext.Current.Request.Cookies.Count; i++)                      

{                          

getkeys = System.Web.HttpContext.Current.Request.Cookies.Keys;                        

 if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Cookies[getkeys].ToString()))                          

{                              

System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);                             

 System.Web.HttpContext.Current.Response.End();                          

}                     

 }                  

}              

}              

catch              

{                  

// 错误处理: 处理用户提交信息!             

 }          

}         

 ///  <summary>          

/// 分析用户请求是否正常          

///  </summary>          

///  <param name="Str">传入用户提交数据  </param>          

///  <returns>返回是否含有SQL注入式攻击代码  </returns>          

private bool ProcessSqlStr(string Str)          

{              

bool ReturnValue = true;              t

ry              

{                  

if (Str.Trim() != "")                  

{                      

string SqlStr = "and |exec |insert |select |delete |update |count |* |chr |mid |master |truncate |char |declare";                      

string[] anySqlStr = SqlStr.Split('|');                      

foreach (string ss in anySqlStr)                     

 {                          

if (Str.ToLower().IndexOf(ss) >= 0)                          

{                              

ReturnValue = false;                              

break;                         

 }                     

 }                  

}              

}              

catch              

{

                  ReturnValue = false;              

}              return ReturnValue;          

}         

 #endregion [/pre]