sql注入

//sql注入
 SqlInjectHelper myCheck = new SqlInjectHelper(Request);
 bool result = myCheck.CheckSqlInject();
 if (result)
 {
     //Response.ContentType = "text/plain";
     //Response.Write("您提交的数据有恶意字符！");
     Response.End();
 }

 

 

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;

namespace ReadAssessment.App_Start
{
    public class SqlInjectHelper: System.Web.UI.Page
    {
        private static string StrKeyWord = "select|insert|delete|from|count(|drop table|update|truncate|asc(|mid(|char(|xp_cmdshell|exec|master|net local group administrators|net user|or|and";
        private static string StrSymbol = ";|(|)|[|]|{|}|%|@|*|'|!";

        private HttpRequest request;
        public SqlInjectHelper(System.Web.HttpRequest _request)
        {
            this.request = _request;
        }
        public bool CheckSqlInject()
        {
            return CheckRequestQuery() || CheckRequestForm();
        }

        ///<summary>
        ///检查URL中是否包含Sql注入
        /// <param name="_request">当前HttpRequest对象</param>
        /// <returns>如果包含sql注入关键字，返回：true;否则返回：false</returns>
        ///</summary>
        public bool CheckRequestQuery()
        {
            if (request.QueryString.Count > 0)
            {
                foreach (string sqlParam in this.request.QueryString)
                {
                    if (sqlParam == "__VIEWSTATE")
                        continue;
                    if (sqlParam == "__EVENTVALIDATION")
                        continue;
                    if (CheckKeyWord(request.QueryString[sqlParam].ToLower()))
                    {
                        return true;
                    }
                }
            }
            return false;
        }
        ///<summary>
        ///检查提交的表单中是否包含Sql注入关键字
        /// <param name="_request">当前HttpRequest对象</param>
        /// <returns>如果包含sql注入关键字，返回：true;否则返回：false</returns>
        ///</summary>
        public bool CheckRequestForm()
        {
            if (request.Form.Count >0 )
            {
                foreach (string sqlParam in this.request.Form)
                {
                    if (sqlParam == "__VIEWSTATE")
                        continue;
                    if (sqlParam == "__EVENTVALIDATION")
                        continue;
                    if (CheckKeyWord(request.Form[sqlParam]))
                    {
                        return true;
                    }
                }
            }
            return false;
        }
        ///<summary>
        ///检查字符串中是否包含Sql注入关键字
        /// <param name="_key">被检查的字符串</param>
        /// <returns>如果包含sql注入关键字，返回：true;否则返回：false</returns>
        ///</summary>
        private static bool CheckKeyWord(string _key)
        {
            string[] pattenKeyWord = StrKeyWord.Split('|');
            string[] pattenSymbol = StrSymbol.Split('|');
            foreach (string sqlParam in pattenKeyWord)
            {
                if (_key.Contains(sqlParam + " ") || _key.Contains(" " + sqlParam))
                {
                    return true;
                }
            }
            foreach (string sqlParam in pattenSymbol)
            {
                if (_key.Contains(sqlParam))
                {
                    return true;
                }
            }
            return false;
        }

    }
}