提交表单时处理sql注入 

 1 public class AntiSqlInject
 2     {
 3         public HttpRequest Request;
 4 
 5         public AntiSqlInject(HttpRequest requestPage)
 6         {
 7             Request = requestPage;
 8         }
 9 
10         public bool CheckBadQuery()
11         {
12             //整串字符对比方法
13             if (Request.QueryString.Count != 0)
14             {
15                 for (int i = 0; i < Request.QueryString.Count; i++)
16                 {
17                     if (CheckBadWord(Request.QueryString[i].Trim()))
18                         return true;
19                 }
20             }
21             return false;
22         }
23 
24         public bool CheckBadForm()
25         {
26             if (Request.Form.Count > 0)
27             {
28                 for (int i = 0; i < Request.Form.Count; i++)
29                 {
30                     if (CheckBadWord(Request.Form[i].Trim()))
31                     {
32                         return true;
33                     }
34                 }
35             }
36             return false;
37         }
38 
39         public bool CheckBadWord(string str)
40         {
41             string pattern = @"select|insert|delete|from|count\(|drop|table|update|truncate|asc\(|mid\(|char\(|xp_cmdshell|exec|master|netlocalgroup administrators|:|net user|""|or|and|join";
42             if (Regex.IsMatch(str, pattern, RegexOptions.IgnoreCase) || Regex.IsMatch(str, @"[-|;|,|\(|\)|\[|\]|\}|\{|%|@|\*|!|\']"))
43             {
44                 return true;
45             }
46             else
47             {
48                 return false;
49             }
50         }
51 
52         public static string FilterBadWord(string str)
53         {
54             string pattern = @"select|insert|delete|from|count\(|drop|table|update|truncate|asc\(|mid\(|char\(|xp_cmdshell|exec|master|netlocalgroup administrators|:|net user|""|or|join|-|;|,|\/|\(|\)|\[|\]|\}|\{|%|@|\*|!|\'";
55             string[] patternArr = pattern.Split('|');
56             Regex regexAntiSqlInject;
57             string result = str;
58             for (int i = 0; i < patternArr.Length; i++)
59             {
60                 regexAntiSqlInject = new Regex(patternArr[i], RegexOptions.IgnoreCase);
61                 result = regexAntiSqlInject.Replace(result, string.Empty);
62             }
63             return result;
64         }
65         /// <summary>
66         /// 反SQL注入
67         /// </summary>
68         public void AntiSqlInjectionAttack()
69         {
70             if (CheckBadQuery() || CheckBadForm())
71             {
72                 string msg = string.Empty;
73                 msg += "<span style='font-size:12px;'>非法操作!系统做了如下记录!<br>";
74                 msg += "操作IP:" + System.Web.HttpContext.Current.Request.UserHostAddress + "<br>";
75                 msg += "操作时间:" + System.DateTime.Now.ToString("yyyy-MM--dd HH:mm:ss") + "<br>";
76                 msg += "页面:" + Request.ServerVariables["URL"].ToLower() + "<br>";
77                 msg += "<a href=\"#\" onclick=\"history.back()\">返回上一页</a></span>";
78                 HttpContext.Current.Response.Write(msg);
79                 HttpContext.Current.Response.End();
80             }
81         }
82     }
posted @ 2012-07-20 10:54  Viky  阅读(2485)  评论(1编辑  收藏  举报