系统安全问题

最近在处理项目中的安全问题,特别是Safe_SQL Injection的问题,所有在网上找了一下,记录一下。

 

/// <summary>
/// 创建SQL注入的类
/// </summary>
public class Safe_SQL Injection
{

  private const string StrRegex = @"\b(alert|confirm|prompt)\b|^\+/v(8|9)|\b(and|or)\b.{1,6}?(=|>|<|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|<\s*img\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)";

  public static bool PostData()
  {
    bool result = false;

    for (int i = 0; i < HttpContext.Current.Request.Form.Count; i++)
    {
      result = CheckData(HttpContext.Current.Request.Form[i].ToString());
      if (result)
      {
        break;
      }
    }
    return result;
  }

  public static bool GetData()
  {
    bool result = false;

    for (int i = 0; i < HttpContext.Current.Request.QueryString.Count; i++)
    {
      result = CheckData(HttpContext.Current.Request.QueryString[i].ToString());
      if (result)
      {
        break;
      }
    }
    return result;
  }

 

  public static bool CookieData()
  {
    bool result = false;
    for (int i = 0; i < HttpContext.Current.Request.Cookies.Count; i++)
    {
      result = CheckData(HttpContext.Current.Request.Cookies[i].Value.ToLower());
      if (result)
      {
        break;
      }
    }
    return result;
  }

  

  public static bool referer()
  {
    bool result = false;
    return result = CheckData(HttpContext.Current.Request.UrlReferrer.ToString());
  }

  

  public static bool CheckData(string inputData)
  {
    if (Regex.IsMatch(inputData, StrRegex))
    {
      return true;
    }
    else
    {
      return false;
    }
  }
}

 

/// <summary>
/// 在Global中调用
/// </summary>

protected void Application_BeginRequest(Object sender, EventArgs e)
{
  if (Request.Cookies != null)
  {
    if (Safe_SQL Injection.CookieData())
    {
      Response.Write("您提交的Cookie数据有恶意字符!");
      Response.End();
    }
  }

 

  if (Request.UrlReferrer != null)
  {
    if (Safe_SQL Injection.referer())
    {
      Response.Write("您提交的Referrer数据有恶意字符!");
      Response.End();
    }
  }

 

  if (Request.RequestType.ToUpper() == "POST")
  {
    if (Safe_SQL Injection.PostData())
    {
      Response.Write("您提交的Post数据有恶意字符!");
      Response.End();
    }
  }

 

  if (Request.RequestType.ToUpper() == "GET")
  {
    if (Safe_SQL Injection.GetData())
    {
      Response.Write("您提交的Get数据有恶意字符!");
      Response.End();
    }
  }
}

posted @ 2017-01-11 11:15  wucan  阅读(515)  评论(0编辑  收藏  举报