防止SQL注入2

通过Global.asax过滤关键字
方法一:
protected void Application_BeginRequest(Object sender, EventArgs e)
    {
        //SQL防注入
        string Sql_1 = "exec|insert+|select+|delete|update|count|chr|mid|master+|truncate|char|declare|drop+|drop+table|creat+|creat+table";
        string Sql_2 = "exec+|insert+|delete+|update+|count(|count+|chr+|+mid(|+mid+|+master+|truncate+|char+|+char(|declare+|drop+|creat+|drop+table|creat+table";
        string[] sql_c = Sql_1.Split('|');
        string[] sql_c1 = Sql_2.Split('|');

        if (Request.QueryString != null)
        {
            foreach (string sl in sql_c)
            {
                if (Request.QueryString.ToString().ToLower().IndexOf(sl.Trim()) >= 0)
                {
                    Response.Write("警告!你的IP已经被记录!");//
                    Response.Write(sl);
                    Response.Write(Request.QueryString.ToString());
                    Response.End();
                    break;
                }
            }
        }

        if (Request.Form.Count > 0)
        {
            string s1 = Request.ServerVariables["SERVER_NAME"].Trim();//服务器名称
            if (Request.ServerVariables["HTTP_REFERER"] != null)
            {
                string s2 = Request.ServerVariables["HTTP_REFERER"].Trim();//http接收的名称
                string s3 = "";
                if (s1.Length > (s2.Length - 7))
                {
                    s3 = s2.Substring(7);
                }
                else
                {
                    s3 = s2.Substring(7, s1.Length);
                }
                if (s3 != s1)
                {
                    Response.Write("你的IP已被记录!警告!");//
                    Response.End();
                }
            }
        }
    }
    
    方法二:(比较好用)
      /// <summary>
    /// 当有数据时交时,触发事件
    /// </summary>
    /// <param name="sender"></param>
    /// <param name="e"></param>
    protected void Application_BeginRequest(Object sender, EventArgs e)
    {
        //遍历Post参数,隐藏域除外
        foreach (string i in this.Request.Form)
        {
            if (i == "__VIEWSTATE") continue;
            this.goErr(this.Request.Form[i].ToString());
        }
        //遍历Get参数。
        foreach (string i in this.Request.QueryString)
        {
            this.goErr(this.Request.QueryString[i].ToString()); 

        }

    }

    /// <summary>
    ///SQL注入过滤
    /// </summary>
    /// <param name="InText">要过滤的字符串</param>
    /// <returns>如果参数存在不安全字符,则返回true</returns>
    public bool SqlFilter(string InText)
    {
        string word = "and|exec|insert|select|delete|update|chr|mid|master|or|truncate|char|declare|join|cmd|;|'|--";//这里加要过滤的SQL字符
        if (InText == null)
            return false;
        foreach (string i in word.Split('|'))
        {
            if ((InText.ToLower().IndexOf(i + " ") > -1) || (InText.ToLower().IndexOf(" " + i) > -1))
            {
                return true;
            }
        }
        return false;
    }

    /// <summary>
    /// 校验参数是否存在SQL字符
    /// </summary>
    /// <param name="tm"></param>
    private void goErr(string tm)
    {
        if (SqlFilter(tm))
        {
            Response.Write("<script>window.alert('参数存在不安全字符');"+"</"+"script>");
        }
    }
posted @ 2016-07-29 14:08  离。  阅读(39)  评论(0编辑  收藏  举报