asp.net防止sql注入(转)
2012-05-13 16:52
302 查看
void Application_BeginRequest(Object sender, EventArgs e)
{
StartProcessRequest();
}
#region SQL注入式攻击代码分析
/// <summary>
/// 处理用户提交的请求
/// </summary>
private void StartProcessRequest()
{
try
{
string str = string.Empty;
string getkeys = "";
string sqlErrorPage = "../ErrorPage.aspx";//转向的错误提示页面
if (System.Web.HttpContext.Current.Request.QueryString != null)
{
for (int i = 0; i < System.Web.HttpContext.Current.Request.QueryString.Count; i++)
{
getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys[i];
if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys]))
{
System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage );
System.Web.HttpContext.Current.Response.End();
}
}
}
if (System.Web.HttpContext.Current.Request.Form != null)
{
for (int i = 0; i < System.Web.HttpContext.Current.Request.Form.Count; i++)
{
getkeys = System.Web.HttpContext.Current.Request.Form.Keys[i];
if (getkeys == "__VIEWSTATE" || getkeys == "hidStdName") continue;
if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys]))
{
System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);
System.Web.HttpContext.Current.Response.End();
}
}
}
}
catch
{
// 错误处理: 处理用户提交信息!
}
}
/// <summary>
/// 分析用户请求是否正常
/// </summary>
/// <param name="Str">传入用户提交数据 </param>
/// <returns>返回是否含有SQL注入式攻击代码 </returns>
private bool ProcessSqlStr(string Str)
{
bool ReturnValue = true;
try
{
if (Str.Trim() != "")
{
string SqlStr = "and |exec |insert |select |delete |update |count | * |chr |mid |master |truncate |char |declare |'|--|drop table|truncate|creat table";
string[] anySqlStr = SqlStr.Split('|');
foreach (string ss in anySqlStr)
{
if (Str.ToLower().IndexOf(ss) >= 0)
{
string strcon = System.Configuration.ConfigurationSettings.AppSettings["adoConstr"].ToString();
System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection(strcon);
conn.Open();
System.Data.SqlClient.SqlCommand cmd = new System.Data.SqlClient.SqlCommand("insert into n_errorstd(stdid,type)values('" + ss + "','5')", conn);
cmd.ExecuteNonQuery();
ReturnValue = false;
break;
}
}
}
}
catch
{
ReturnValue = false;
}
return ReturnValue;
}
#endregion
{
StartProcessRequest();
}
#region SQL注入式攻击代码分析
/// <summary>
/// 处理用户提交的请求
/// </summary>
private void StartProcessRequest()
{
try
{
string str = string.Empty;
string getkeys = "";
string sqlErrorPage = "../ErrorPage.aspx";//转向的错误提示页面
if (System.Web.HttpContext.Current.Request.QueryString != null)
{
for (int i = 0; i < System.Web.HttpContext.Current.Request.QueryString.Count; i++)
{
getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys[i];
if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys]))
{
System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage );
System.Web.HttpContext.Current.Response.End();
}
}
}
if (System.Web.HttpContext.Current.Request.Form != null)
{
for (int i = 0; i < System.Web.HttpContext.Current.Request.Form.Count; i++)
{
getkeys = System.Web.HttpContext.Current.Request.Form.Keys[i];
if (getkeys == "__VIEWSTATE" || getkeys == "hidStdName") continue;
if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys]))
{
System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);
System.Web.HttpContext.Current.Response.End();
}
}
}
}
catch
{
// 错误处理: 处理用户提交信息!
}
}
/// <summary>
/// 分析用户请求是否正常
/// </summary>
/// <param name="Str">传入用户提交数据 </param>
/// <returns>返回是否含有SQL注入式攻击代码 </returns>
private bool ProcessSqlStr(string Str)
{
bool ReturnValue = true;
try
{
if (Str.Trim() != "")
{
string SqlStr = "and |exec |insert |select |delete |update |count | * |chr |mid |master |truncate |char |declare |'|--|drop table|truncate|creat table";
string[] anySqlStr = SqlStr.Split('|');
foreach (string ss in anySqlStr)
{
if (Str.ToLower().IndexOf(ss) >= 0)
{
string strcon = System.Configuration.ConfigurationSettings.AppSettings["adoConstr"].ToString();
System.Data.SqlClient.SqlConnection conn = new System.Data.SqlClient.SqlConnection(strcon);
conn.Open();
System.Data.SqlClient.SqlCommand cmd = new System.Data.SqlClient.SqlCommand("insert into n_errorstd(stdid,type)values('" + ss + "','5')", conn);
cmd.ExecuteNonQuery();
ReturnValue = false;
break;
}
}
}
}
catch
{
ReturnValue = false;
}
return ReturnValue;
}
#endregion
相关文章推荐
- asp.net程序防止sql注入
- ASP.NET如何防止SQL注入
- ASP.NET利用httpHandler 防止SQL注入!
- asp.net防止sql注入,删除关键字的一个重要方法
- asp.net sql防止sql注入
- ASP.NET 防止SQL注入。
- ASP.NET防止SQL注入的方法示例
- asp.net程序防止sql注入
- asp.net 防止 sql注入
- ASP.NET防止Sql注入的解决方法
- asp.net程序防止sql注入
- AOP实践--ASP.NET MVC 5使用Filter过滤Action参数防止sql注入,让你代码安全简洁
- asp.net 360通用防护代码,防止sql注入与xss跨站漏洞攻击
- asp.net防止sql注入
- asp.net 防止 sql注入
- asp.net网站防止sql注入
- asp.net 防止 sql注入
- ASP.NET防止Sql注入的解决方法
- ASP.NET会员注册登录模块(MD5加密,Parameters防止SQL注入,判断是否注册)
- asp.net中过滤非法字符防止SQL注入