asp.net 防止sql 攻击 全站做法

在Global.aspx中加入下面

 

        /**//// <summary>
        ///SQL注入过滤
        /// </summary>
        /// <param name="InText">要过滤的字符串</param>
        /// <returns>如果参数存在不安全字符，则返回true</returns>
        public static bool SqlFilter2(string InText)
        ...{
            string word="and|exec|insert|select|delete|update|chr|mid|master|or|truncate|char|declare|join|'";
            if(InText==null)
                return false;
            foreach(string i in word.Split('|'))
            ...{
                if((InText.ToLower().IndexOf(i+" ")>-1)||(InText.ToLower().IndexOf(" "+i)>-1))
                ...{
                    return true;
                }
            }
            return false;
        }
 

protected void Application_BeginRequest(Object sender, EventArgs e)
        ...{
            //遍历Post参数，隐藏域除外
            foreach(string i in this.Request.Form)
            ...{
                if(i=="__VIEWSTATE")continue;
                this.goErr(this.Request.Form[i].ToString());   
            }
            //遍历Get参数。
            foreach(string i in this.Request.QueryString)
            ...{
                this.goErr(this.Request.QueryString[i].ToString());   
            }

        }

 

  /**//// <summary>
  /// 校验参数是否存在SQL字符
  /// </summary>
  /// <param name="tm"></param>
  private void goErr(string tm)
  ...{
   string Errorpage = System.Configuration.ConfigurationSettings.AppSettings["SqlErrorpage"].ToString();
   if(HuTong.BaseClass.SqlFilter2(tm))
    this.Response.Redirect(Errorpage);
  }

 

 

 <add key="SqlErrorpage" value="/SqlError.htm"></add>

  

本文来自CSDN博客，转载请标明出处：http://blog.csdn.net/mubingyun/archive/2009/01/10/3739336.aspx