您的位置:首页 > 数据库

过滤网址和输入框中的特殊字符,防止sql注入(C#版)

2009-11-25 12:57 567 查看
防sql注入不必在每个页面都写验证了,下面方面便可以一劳永逸。

using System;
using System.Data;
using System.Configuration;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;

/// <summary>
///cedar 的摘要说明
/// </summary>
public class cedar:IHttpModule
{
public cedar()
{
//
//TODO: 在此处添加构造函数逻辑
//
}
public void Dispose()
{

}

public void Init(HttpApplication application)
{
application.AcquireRequestState += new EventHandler(application_AcquireRequestState);
}
private void application_AcquireRequestState(object sender, EventArgs e)
{
HttpContext content = ((HttpApplication)sender).Context;
try
{
string sqlErrorPage = "default.html";//转到默认页面
string keyValue = string.Empty;
string requestUrl = content.Request.Path.ToString();
if (content.Request.QueryString != null)
{
foreach (string val in content.Request.QueryString)
{
keyValue= content.Server.UrlDecode(content.Request.QueryString[val]);
if (!processSqlStr(keyValue))
{
content.Response.Write("您访问的页面发生错误,此问题我们已经记录并尽快改善,请稍后再试。<br><a href=""+sqlErrorPage+"" mce_href=""+sqlErrorPage+"">转到首页</a>");
content.Response.End();
break;
}
}
}
if (content.Request.Form != null)
{
foreach(string val in content.Request.Form)
{
keyValue = content.Server.HtmlDecode(content.Request.Form[val]);
if (keyValue == "_ViEWSTATE") continue;
if (!processSqlStr(keyValue))
{
content.Response.Write("您访问的页面发生错误,此问题我们已经记录并尽快改善,请稍后再试。");
content.Response.End();
break;
}
}
}
}
catch (Exception ex)
{
}
}
private bool processSqlStr(string str)
{
bool returnValue = true;
try
{
if (str.Trim() != "")
{
//取得webconfig中过滤字符串
string sqlStr = ConfigurationManager.AppSettings["FilterSql"].Trim();
//string sqlStr = "declare |exec|varchar |cursor |begin |open |drop |creat |select |truncate";
string[] sqlStrs = sqlStr.Split('|');
foreach (string ss in sqlStrs)
{
if (str.ToLower().IndexOf(ss) >= 0)
{
sqlStr = ss;
returnValue = false;
break;
}
}
}
}
catch
{
returnValue = false;
}
return returnValue;
}
}


在web.config中添加以下:

<appSettings>
<add key="FilterSql" value="declare |exec|varchar |cursor |begin |open |drop |creat |select |truncate "/>
</appSettings>

<httpModules>
<add type="cedar" name="cedar"/>
</httpModules>
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息
标签: 
相关文章推荐
新的分享
章节导航