反SQL注入攻击,特殊字符与特殊关键字过滤。
说到SQL注入攻击,我想大家都并不陌生,甚至深爱其害.那怎么才避免遭受攻击,减少伤害呢.在此我提出几点建议:
一.尽量使用参数形式,少用拼凑型SQL语句.这不但安全,还增加代码可读性,何乐不为呢!
SqlParameter[] parms = new SqlParameter[] {
new SqlParameter(PARM_EMAIL, SqlDbType.VarChar, 80),
new SqlParameter(PARM_FIRST_NAME, SqlDbType.VarChar, 80),
new SqlParameter(PARM_LAST_NAME, SqlDbType.VarChar, 80),
new SqlParameter(PARM_ADDRESS1, SqlDbType.VarChar, 80),
new SqlParameter(PARM_ADDRESS2, SqlDbType.VarChar, 50),
new SqlParameter(PARM_CITY, SqlDbType.VarChar, 80),
new SqlParameter(PARM_STATE, SqlDbType.VarChar, 80),
new SqlParameter(PARM_ZIP, SqlDbType.VarChar, 50),
new SqlParameter(PARM_COUNTRY, SqlDbType.VarChar, 50),
new SqlParameter(PARM_PHONE, SqlDbType.VarChar, 80),
new SqlParameter(PARM_USER_ID, SqlDbType.VarChar, 80)};
二.转换参数类型.如是参数是数字型,则转换成数字型的才操作.
三.替换特殊字符.如将"'"替换成""".
四.条件可以的话,请使用存储过程操作数据库.
五.等等,当然安全要做的事,远远不止这些..
在这里我还要再发布自已用过的,用于参数及表单过滤的一个类.请大家自已扩展
using System;
using System.Text.RegularExpressions;
using Microsoft.VisualBasic;
namespace zhang.Common
{
public class AntiSqlInAttack
{
public System.Web.HttpRequest request;
public AntiSqlInAttack(System.Web.HttpRequest request)
{
this.request = request;
}
public bool CheckBadQuery()
{
//整串字符对比方法
//string badword = ";|'|*|%| and |20%and20%| master |20%master20%|exec|insert|select|delete|count|chr|mid|truncate|char|declare|update";
//string query = request.ServerVariables["Query_String"].ToString();
//string[] badwordArry = badword.Split(new char[] { '|' });
//for (int i = 0; i < badwordArry.Length; i++)
//{
// string tempWord = badwordArry[i].Trim();
// if (query.IndexOf(tempWord) >= 1)
// return true;
//}
//return false;
if (request.QueryString.Count != 0)
{
for (int i = 0; i < request.QueryString.Count; i++)
{
if (CheckBadWord(request.QueryString[i].ToString()))
return true;
}
}
return false;
}
public bool CheckBadForm()
{
if (request.Form.Count > 0)
{
for (int i = 0; i < request.Form.Count; i++)
{
if (CheckBadWord(request.Form[i]))
return true;
}
}
return false;
}
public bool CheckBadWord(string str)
{
string pattern = @"select|insert|delete|from|count\(|drop table|update|truncate|asc\(|mid\(|char\(|xp_cmdshell|exec master|netlocalgroup administrators|:|net user|""|or|and";
if (Regex.IsMatch(str, pattern, RegexOptions.IgnoreCase) || Regex.IsMatch(str, @"[-|;|,|\/|\(|\)|\[|\]|\}|\{|%|@|\*|!|\']"))
return true;
return false;
}
/// <summary>
/// 反SQL注入
/// </summary>
public void AntiSqlInjectionAttack()
{
if (CheckBadQuery() || CheckBadForm())
{
string msg = string.Empty;
msg += "<span style='font-size:12px;'>非法操作!系统做了如下记录!<br>";
msg += "操作IP:" +Utils.GetRealIP()+ "<br>";
msg += "操作时间:" + DateTime.Now + "<br>";
msg += "页面:" + request.ServerVariables["URL"].ToLower() + "<br>";
msg += "<a href=\"#\" onclick=\"history.back()\">返回上一页</a></span>";
MessageBox.ResponseWrite(msg, true);
}
}
}
}
至强工作室 http://www.haotaoci.com
一.尽量使用参数形式,少用拼凑型SQL语句.这不但安全,还增加代码可读性,何乐不为呢!
SqlParameter[] parms = new SqlParameter[] {
new SqlParameter(PARM_EMAIL, SqlDbType.VarChar, 80), new SqlParameter(PARM_FIRST_NAME, SqlDbType.VarChar, 80), new SqlParameter(PARM_LAST_NAME, SqlDbType.VarChar, 80), new SqlParameter(PARM_ADDRESS1, SqlDbType.VarChar, 80), new SqlParameter(PARM_ADDRESS2, SqlDbType.VarChar, 50), new SqlParameter(PARM_CITY, SqlDbType.VarChar, 80), new SqlParameter(PARM_STATE, SqlDbType.VarChar, 80), new SqlParameter(PARM_ZIP, SqlDbType.VarChar, 50), new SqlParameter(PARM_COUNTRY, SqlDbType.VarChar, 50), new SqlParameter(PARM_PHONE, SqlDbType.VarChar, 80), new SqlParameter(PARM_USER_ID, SqlDbType.VarChar, 80)};三.替换特殊字符.如将"'"替换成""".
四.条件可以的话,请使用存储过程操作数据库.
五.等等,当然安全要做的事,远远不止这些..
在这里我还要再发布自已用过的,用于参数及表单过滤的一个类.请大家自已扩展
using System;using System.Text.RegularExpressions;using Microsoft.VisualBasic;namespace zhang.Common{ public class AntiSqlInAttack {
public System.Web.HttpRequest request; public AntiSqlInAttack(System.Web.HttpRequest request) { this.request = request; } public bool CheckBadQuery() { //整串字符对比方法 //string badword = ";|'|*|%| and |20%and20%| master |20%master20%|exec|insert|select|delete|count|chr|mid|truncate|char|declare|update"; //string query = request.ServerVariables["Query_String"].ToString(); //string[] badwordArry = badword.Split(new char[] { '|' }); //for (int i = 0; i < badwordArry.Length; i++) //{ // string tempWord = badwordArry[i].Trim(); // if (query.IndexOf(tempWord) >= 1) // return true; //} //return false; if (request.QueryString.Count != 0) { for (int i = 0; i < request.QueryString.Count; i++) { if (CheckBadWord(request.QueryString[i].ToString())) return true; } } return false; } public bool CheckBadForm() { if (request.Form.Count > 0) { for (int i = 0; i < request.Form.Count; i++) { if (CheckBadWord(request.Form[i])) return true; } } return false; } public bool CheckBadWord(string str) { string pattern = @"select|insert|delete|from|count\(|drop table|update|truncate|asc\(|mid\(|char\(|xp_cmdshell|exec master|netlocalgroup administrators|:|net user|""|or|and"; if (Regex.IsMatch(str, pattern, RegexOptions.IgnoreCase) || Regex.IsMatch(str, @"[-|;|,|\/|\(|\)|\[|\]|\}|\{|%|@|\*|!|\']")) return true; return false; } /// <summary> /// 反SQL注入 /// </summary> public void AntiSqlInjectionAttack() { if (CheckBadQuery() || CheckBadForm()) { string msg = string.Empty; msg += "<span style='font-size:12px;'>非法操作!系统做了如下记录!<br>"; msg += "操作IP:" +Utils.GetRealIP()+ "<br>"; msg += "操作时间:" + DateTime.Now + "<br>"; msg += "页面:" + request.ServerVariables["URL"].ToLower() + "<br>"; msg += "<a href=\"#\" onclick=\"history.back()\">返回上一页</a></span>"; MessageBox.ResponseWrite(msg, true); } } }}至强工作室 http://www.haotaoci.com
