using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Text.RegularExpressions;
/// <summary>
///SQLInjectionHelper 的摘要说明
/// </summary>
public class SQLInjectionHelper
{
public SQLInjectionHelper()
{
//
//TODO: 在此处添加构造函数逻辑
//
}
/// <summary>
/// 验证请求数据
/// </summary>
public static bool ValidUrlData(String request)
{
bool result = false;
//获取Post的数据
if (request == "POST")
{
for (int i = 0; i < HttpContext.Current.Request.Form.Count; i++)
{
result = ValidData(HttpContext.Current.Request.Form[i].ToString().ToLower());
if (result)
{
break;
}
}
}
else //获取QueryString中的数据
{
for (int i = 0; i < HttpContext.Current.Request.QueryString.Count; i++)
{
result = ValidData(HttpContext.Current.Request.QueryString[i].ToString().ToLower());
if (result)
{
break;
}
}
}
return result;
}
/// <summary>
/// 验证是否存在注入代码
/// </summary>
/// <param name="inputData">输入字符</param>
/// <returns></returns>
private static bool ValidData(String inputData)
{
//验证inputData是否包含恶意集合
if (Regex.IsMatch(inputData, GetRegexString()))
{
return true;
}
else
{
return false;
}
}
/// <summary>
/// 获取正则表达式
/// </summary>
private static String GetRegexString()
{
//构造SQL的注入关键字符
String[] strBadChar = {"and","exec","insert","select","delete","update","count","from",
"drop","asc","char","or","%",";",":","\'","\"","-","chr","mid","master",
"truncate","char","declare","SiteName","net user","xp_cmdshell","/add",
"exec master.dbo.xp_cmdshell","net localgroup administrators"};
//构造正则表达式
String str_Regex = ".*(";
for (int i = 0; i < strBadChar.Length - 1; i++)
{
str_Regex += strBadChar[i] + "|";
}
str_Regex += strBadChar[strBadChar.Length - 1] + ").*";
return str_Regex;
}
}
View Code
