过滤网址和输入框中的特殊字符,防止sql注入(C#版)
2013-09-18 06:53
483 查看
防sql注入不必在每个页面都写验证了,下面方面便可以一劳永逸。
[c-sharp] view
plaincopy
using System;
using System.Data;
using System.Configuration;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
/// <summary>
///cedar 的摘要说明
/// </summary>
public class cedar:IHttpModule
{
public cedar()
{
//
//TODO: 在此处添加构造函数逻辑
//
}
public void Dispose()
{
}
public void Init(HttpApplication application)
{
application.AcquireRequestState += new EventHandler(application_AcquireRequestState);
}
private void application_AcquireRequestState(object sender, EventArgs e)
{
HttpContext content = ((HttpApplication)sender).Context;
try
{
string sqlErrorPage = "default.html";//转到默认页面
string keyValue = string.Empty;
string requestUrl = content.Request.Path.ToString();
if (content.Request.QueryString != null)
{
foreach (string val in content.Request.QueryString)
{
keyValue= content.Server.UrlDecode(content.Request.QueryString[val]);
if (!processSqlStr(keyValue))
{
content.Response.Write("您访问的页面发生错误,此问题我们已经记录并尽快改善,请稍后再试。<br><a href=""+sqlErrorPage+"" mce_href=""+sqlErrorPage+"">转到首页</a>");
content.Response.End();
break;
}
}
}
if (content.Request.Form != null)
{
foreach(string val in content.Request.Form)
{
keyValue = content.Server.HtmlDecode(content.Request.Form[val]);
if (keyValue == "_ViEWSTATE") continue;
if (!processSqlStr(keyValue))
{
content.Response.Write("您访问的页面发生错误,此问题我们已经记录并尽快改善,请稍后再试。");
content.Response.End();
break;
}
}
}
}
catch (Exception ex)
{
}
}
private bool processSqlStr(string str)
{
bool returnValue = true;
try
{
if (str.Trim() != "")
{
//取得webconfig中过滤字符串
string sqlStr = ConfigurationManager.AppSettings["FilterSql"].Trim();
//string sqlStr = "declare |exec|varchar |cursor |begin |open |drop |creat |select |truncate";
string[] sqlStrs = sqlStr.Split('|');
foreach (string ss in sqlStrs)
{
if (str.ToLower().IndexOf(ss) >= 0)
{
sqlStr = ss;
returnValue = false;
break;
}
}
}
}
catch
{
returnValue = false;
}
return returnValue;
}
}
在web.config中添加以下:
<appSettings>
<add key="FilterSql" value="declare |exec|varchar |cursor |begin |open |drop |creat |select |truncate "/>
</appSettings>
<httpModules>
<add type="cedar" name="cedar"/>
</httpModules>
[c-sharp] view
plaincopy
using System;
using System.Data;
using System.Configuration;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
/// <summary>
///cedar 的摘要说明
/// </summary>
public class cedar:IHttpModule
{
public cedar()
{
//
//TODO: 在此处添加构造函数逻辑
//
}
public void Dispose()
{
}
public void Init(HttpApplication application)
{
application.AcquireRequestState += new EventHandler(application_AcquireRequestState);
}
private void application_AcquireRequestState(object sender, EventArgs e)
{
HttpContext content = ((HttpApplication)sender).Context;
try
{
string sqlErrorPage = "default.html";//转到默认页面
string keyValue = string.Empty;
string requestUrl = content.Request.Path.ToString();
if (content.Request.QueryString != null)
{
foreach (string val in content.Request.QueryString)
{
keyValue= content.Server.UrlDecode(content.Request.QueryString[val]);
if (!processSqlStr(keyValue))
{
content.Response.Write("您访问的页面发生错误,此问题我们已经记录并尽快改善,请稍后再试。<br><a href=""+sqlErrorPage+"" mce_href=""+sqlErrorPage+"">转到首页</a>");
content.Response.End();
break;
}
}
}
if (content.Request.Form != null)
{
foreach(string val in content.Request.Form)
{
keyValue = content.Server.HtmlDecode(content.Request.Form[val]);
if (keyValue == "_ViEWSTATE") continue;
if (!processSqlStr(keyValue))
{
content.Response.Write("您访问的页面发生错误,此问题我们已经记录并尽快改善,请稍后再试。");
content.Response.End();
break;
}
}
}
}
catch (Exception ex)
{
}
}
private bool processSqlStr(string str)
{
bool returnValue = true;
try
{
if (str.Trim() != "")
{
//取得webconfig中过滤字符串
string sqlStr = ConfigurationManager.AppSettings["FilterSql"].Trim();
//string sqlStr = "declare |exec|varchar |cursor |begin |open |drop |creat |select |truncate";
string[] sqlStrs = sqlStr.Split('|');
foreach (string ss in sqlStrs)
{
if (str.ToLower().IndexOf(ss) >= 0)
{
sqlStr = ss;
returnValue = false;
break;
}
}
}
}
catch
{
returnValue = false;
}
return returnValue;
}
}
在web.config中添加以下:
<appSettings>
<add key="FilterSql" value="declare |exec|varchar |cursor |begin |open |drop |creat |select |truncate "/>
</appSettings>
<httpModules>
<add type="cedar" name="cedar"/>
</httpModules>
相关文章推荐
- 过滤网址和输入框中的特殊字符,防止sql注入(C#版)
- 过滤网址和输入框中的特殊字符,防止sql注入(C#版)
- 过滤网址和输入框中的特殊字符,防止sql注入
- 防止xss和sql注入:JS特殊字符过滤正则
- 防止xss和sql注入:JS特殊字符过滤正则
- JS特殊字符过滤,防止xss和sql注入。
- 防止xss和sql注入:JS特殊字符过滤正则
- java 过滤敏感词和特殊字符 防止sql注入
- 对输入框的特殊字串进行过滤,防止SQL注入
- jquery过滤特殊字符',防sql注入的实现方法
- 防御SQL注入方法(2)-过滤特殊字符
- 过滤页面上输入框的输入内容中的特殊字符
- 限制表单输入框过滤特殊字符及空格
- jquery过滤特殊字符',防sql注入
- C#(ASP.NET)正则表达式 过滤危险字符函数代码 防SQL注入 很全面的SQL关键字过滤
- jsp过滤输入框输入html特殊字符
- jquery过滤特殊字符',防sql注入的实现方法
- 利用简单的过滤器 过滤特殊字符实现 防止XSS攻击
- js对文本框的特殊字符进行编译和反编译,过滤的效果,常用于文本输入防止xss
- C# 过滤HTML,脚本,数据库关键字,特殊字符