HttpApplication
The request is processed through the event pipeline, noting that the data is filtered for the request and processed by the filter
appropriate handler according to the type of the request Handler
.
Pipeline injection is implemented by two kinds of interfaces IHttpModule
, and another Global
method is added in a direct class.
SQL injects Web site security threats, off-guard methods: one that does not allow sensitive data requests, one that filters sensitive data in heavy strings. Requires all user requests to be handled in the BeginRequest
event (or an AOP program).
CODE
SQL Injection Processing Classes
public class Sqlinjectionhelper {public static bool Validurldata (string request) {bool Resul T = false; Get POS Data if (Request = = "POST") {for (int i = 0; i < HTTPCONTEXT.CURRENT.REQUEST.F Orm. Count; i++) {result = ValidData (Httpcontext.current.request.form[i]. ToString ()); if (result) {break; }}}//Gets the data in querystring else {for (int i = 0; i < HttpContext.Current.Request.QueryString.Count; i++) {result = ValidData (Httpcontext.current.request.querystring[i]. ToString ()); if (result) {break; }}} return result; }//<summary>//To determine if there is an injected code </summary>//<param name= "Inputdata" ></param>//<returns></returns> private static bool ValidData (string inputdata) {if (Regex.IsMatch (Inputdata, getregexstring ()) ) {return true; } else {return false; }}///<summary>//Get regular expressions////</summary>//<returns>< ;/returns> private static string getregexstring () {string[] Strbadchar = {"and", "Exec", "ins ert "," select "," Delete "," Update "," Count "," from "," Drop "," ASC "," char "," or ","% ","; ",": "," \ "," \ "", "-", "ch R "," Mid "," Master "," Truncate "," char "," declare "," SiteName "," Net User "," xp_ Cmdshell ","/add "," exec master. " Dbo. Xp_ Cmdshell "," net localgroup Administrators "}; String Str_regex = ". * ("; for (int i = 0; i < Strbadchar.lenGth-1; i++) {Str_regex + = Strbadchar[i] + "|"; } Str_regex + = Strbadchar[strbadchar.length-1] + "). *"; return Str_regex; } }
Add to Global
class
void Application_BeginRequest(object sender,EventArgs e) { bool result = false; result = SQLInjectionHelper.ValidUrlData(Request.RequestType.ToUpper()); if (result) { Response.Write("您提交的数据有恶意字符"); Response.End(); } }
Prevent SQL injection with Httpapplicaton request pipeline