使用字符过滤的方法防止ASP.NET网站被注入

在Global.asax文件里面写入代码:

        protected void Application_BeginRequest(Object sender, EventArgs e)
        {
               StartProcessRequest();
        }            

 

        private void StartProcessRequest()
        {
            try
            {
                string getKeys = "";
                string sqlErrorPage = "/error";
                if (Request.QueryString != null)
                {
                    for (int i = 0; i < Request.QueryString.Count; i++)
                    {
                        getKeys = Request.QueryString.Keys[i];
                        string val = Request.QueryString[getKeys];
                        if (StringHelper.CheckValidationUrl(val) || StringHelper.CheckValidationKeyword(val) || StringHelper.CheckValidationKeywordJS(val))
                        {
                            Response.Redirect(sqlErrorPage);
                            Response.End();
                        }
                    }
                }
                if (Request.Form != null)
                {
                    for (int i = 0; i < Request.Form.Count; i++)
                    {
                        getKeys = Request.Form.Keys[i];
                        if (getKeys == "_VIEWSTATE")
                            continue;
                        string val = Request.Form[getKeys];
                        if (StringHelper.CheckValidationKeyword(val) || StringHelper.CheckValidationKeywordJS(val))
                        {
                            Response.Redirect(sqlErrorPage);
                            Response.End();
                        }
                    }
                }
            }
            catch (Exception ex)
            {
                Response.Redirect("/error");
                return;
            }
        }    

 

StringHelper.cs中的方法参考:

        /// <summary>
        /// 去除符号字符,防止SQL注入(URL)
        /// </summary>
        /// <param name="val">检查的对象</param>
        /// <returns>True:包含非法字符;False:不包含非法字符</returns>
        public static bool CheckValidationUrl(string val)
        {
            string str = "'<>~!$^*();|/\"";//%
            foreach (char ch in str)
            {
                if (val.IndexOf(ch) >= 0)
                {
                    return true;
                }
            }
            return false;
        }

        /// <summary>
        /// 去除SQL关键字,防止SQL注入
        /// </summary>
        /// <param name="val">检查的对象</param>
        /// <returns>True:包含SQL关键字;False:不包含SQL关键字</returns>
        public static bool CheckValidationKeyword(string val)
        {
            val = " " + val;
            string sql = " exec | insert | select | delete | update | count | chr | master | truncate | char | declare | drop | create | and | or ";//|mid
            string[] sql_c = sql.Split('|');
            foreach (var sl in sql_c)
            {
                if (val.ToLower().IndexOf(sl) >= 0)
                {
                    return true;
                }
            }
            return false;
        }

        /// <summary>
        /// 去除脚本注入关键字
        /// </summary>
        /// <param name="val"></param>
        /// <returns></returns>
        public static bool CheckValidationKeywordJS(string val)
        {
            val = " " + val;
            string sql = " script | alert | href | location ";
            string[] sql_c = sql.Split('|');
            foreach (var sl in sql_c)
            {
                if (val.ToLower().IndexOf(sl) >= 0)
                {
                    return true;
                }
            }
            return false;
        }

 

posted @ 2022-03-11 10:47  海角之上  阅读(198)  评论(0编辑  收藏  举报