SQL防注入
![](https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif)
using System; using System.Collections.Generic; using System.Linq; using System.Web; using System.Text.RegularExpressions; /// <summary> ///SQLInjectionHelper 的摘要说明 /// </summary> public class SQLInjectionHelper { public SQLInjectionHelper() { // //TODO: 在此处添加构造函数逻辑 // } /// <summary> /// 验证请求数据 /// </summary> public static bool ValidUrlData(String request) { bool result = false; //获取Post的数据 if (request == "POST") { for (int i = 0; i < HttpContext.Current.Request.Form.Count; i++) { result = ValidData(HttpContext.Current.Request.Form[i].ToString().ToLower()); if (result) { break; } } } else //获取QueryString中的数据 { for (int i = 0; i < HttpContext.Current.Request.QueryString.Count; i++) { result = ValidData(HttpContext.Current.Request.QueryString[i].ToString().ToLower()); if (result) { break; } } } return result; } /// <summary> /// 验证是否存在注入代码 /// </summary> /// <param name="inputData">输入字符</param> /// <returns></returns> private static bool ValidData(String inputData) { //验证inputData是否包含恶意集合 if (Regex.IsMatch(inputData, GetRegexString())) { return true; } else { return false; } } /// <summary> /// 获取正则表达式 /// </summary> private static String GetRegexString() { //构造SQL的注入关键字符 String[] strBadChar = {"and","exec","insert","select","delete","update","count","from", "drop","asc","char","or","%",";",":","\'","\"","-","chr","mid","master", "truncate","char","declare","SiteName","net user","xp_cmdshell","/add", "exec master.dbo.xp_cmdshell","net localgroup administrators"}; //构造正则表达式 String str_Regex = ".*("; for (int i = 0; i < strBadChar.Length - 1; i++) { str_Regex += strBadChar[i] + "|"; } str_Regex += strBadChar[strBadChar.Length - 1] + ").*"; return str_Regex; } }
void Application_BeginRequest(Object sender, EventArgs e) { bool result = false; result = SQLInjectionHelper.ValidUrlData(Request.RequestType.ToUpper()); if (result) { Response.Write("您提交的数据有恶意字符!"); Response.End(); } }