asp.net 防止sql注入 global 文件控制

using System;

using System.Collections;

using System.ComponentModel;

using System.Web;

using System.Web.SessionState;

using log4net;



namespace WebCheminfo 

{

	/// <summary>

	/// Global 的摘要说明。

	/// </summary>



	public class Global : System.Web.HttpApplication

	{

		/// <summary>

		/// 必需的设计器变量。

		/// </summary>

		private System.ComponentModel.IContainer components = null;

      

		public Global()

		{

			InitializeComponent();

		}	

		

		protected void Application_Start(Object sender, EventArgs e)

		{

		}

 

		protected void Session_Start(Object sender, EventArgs e)

		{



		}



		/// <summary>

		/// 防止SQL注入

		/// </summary>

		/// <param name="sender"></param>

		/// <param name="e"></param>

		void Application_BeginRequest(Object sender, EventArgs e)

		{

        

			StartProcessRequest();



		}



		#region SQL注入式攻击代码分析

		/// <summary> 

		/// 处理用户提交的请求 

		/// </summary> 

		private void StartProcessRequest()

		{

			 

				string getkeys = "";

				string sqlErrorPage = "~/";//转向的错误提示页面 

				if (System.Web.HttpContext.Current.Request.QueryString != null)

				{



					for (int i = 0; i < System.Web.HttpContext.Current.Request.QueryString.Count; i++)

					{

						getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys[i];

						if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys]))

						{

							System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);

							System.Web.HttpContext.Current.Response.End();

						}

					}

				}

//				if (System.Web.HttpContext.Current.Request.Form != null)

//				{

//					for (int i = 0; i < System.Web.HttpContext.Current.Request.Form.Count; i++)

//					{

//						getkeys = System.Web.HttpContext.Current.Request.Form.Keys[i];

//						if (getkeys == "__VIEWSTATE") continue;

//						if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys]))

//						{

//							System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);

//							System.Web.HttpContext.Current.Response.End();

//						}

//					}

//				}

			 

		}



		/// <summary> 

		/// 分析用户请求是否正常 

		/// </summary> 

		/// <param name="Str">传入用户提交数据 </param> 

		/// <returns>返回是否含有SQL注入式攻击代码 </returns> 

		private bool ProcessSqlStr(string Str)

		{

			bool ReturnValue = true;

			try

			{

				if (Str.Trim() != "")

				{

					string SqlStr = " exec.update.declare.exe.varchar.truncate.create";



					string[] anySqlStr = SqlStr.Split('.');

					foreach (string ss in anySqlStr)

					{

						if (Str.ToLower().IndexOf(ss) !=-1)

						{

							ReturnValue = false;

							break;

						}

					}

				}

			}

			catch

			{

				ReturnValue = false;

			}

			return ReturnValue;

		}

		#endregion



		protected void Application_EndRequest(Object sender, EventArgs e)

		{



		}



		protected void Application_AuthenticateRequest(Object sender, EventArgs e)

		{



		}



		protected void Application_Error(Object sender, EventArgs e)

		{



		}



		protected void Session_End(Object sender, EventArgs e)

		{



		}



		protected void Application_End(Object sender, EventArgs e)

		{



		}

			

		#region Web 窗体设计器生成的代码

		/// <summary>

		/// 设计器支持所需的方法 - 不要使用代码编辑器修改

		/// 此方法的内容。

		/// </summary>

		private void InitializeComponent()

		{    

			this.components = new System.ComponentModel.Container();

		}

		#endregion

	}

}



你可能感兴趣的:(asp.net)