asp.net解決SQL注入代碼

來源:互聯網
上載者:User

標籤:

public static class CheckChar    {        #region SQL注入式攻擊程式碼分析        /// <summary>        /// 處理使用者提交的請求        /// </summary>        public static void StartProcessRequest()        {            try            {                string getkeys = "";                //防止GET注入                if (System.Web.HttpContext.Current.Request.QueryString != null)                {                    if (System.Web.HttpContext.Current.Request.QueryString.Count == 0)                    {                        string url = "";                        if (System.Web.HttpContext.Current.Request.UrlReferrer != null)                        {                            url = System.Web.HttpContext.Current.Request.UrlReferrer.ToString();                        }                        if (url.Length > 0)                        {                            url = url.Substring(url.IndexOf(‘?‘) + 1, url.Length - url.IndexOf(‘?‘) - 1);                        }                        if (!ProcessSqlStr(url,"get"))                        {                            // System.Web.HttpContext.Current.Response.Write("<h3>不能包含執行語句</h3>");                            // System.Web.HttpContext.Current.Response.End();                            System.Web.HttpContext.Current.Response.Redirect("~/Error.aspx?path=" + System.Web.HttpContext.Current.Request.Url.PathAndQuery);                        }                    }                    else                    {                        for (int i = 0; i < System.Web.HttpContext.Current.Request.QueryString.Count; i++)                        {                            getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys[i];                            if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys],"get"))                            {                                System.Web.HttpContext.Current.Response.Redirect("~/Error.aspx?path=" + System.Web.HttpContext.Current.Request.Url.PathAndQuery);                            }                        }                    }                }                //防止POST注入                if (System.Web.HttpContext.Current.Request.Form != null)                {                    for (int i = 0; i < System.Web.HttpContext.Current.Request.Form.Count; i++)                    {                        getkeys = System.Web.HttpContext.Current.Request.Form.Keys[i];                        if (getkeys == "__VIEWSTATE" || getkeys == "__EVENTVALIDATION") continue;                        if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys],"post"))                        {                            System.Web.HttpContext.Current.Response.Redirect("~/Error.aspx?path=" + System.Web.HttpContext.Current.Request.Url.PathAndQuery);                        }                    }                }                //防止COOKITS注入                if (System.Web.HttpContext.Current.Request.Cookies != null)                {                    for (int i = 0; i < System.Web.HttpContext.Current.Request.Cookies.Count; i++)                    {                        getkeys = System.Web.HttpContext.Current.Request.Cookies.Keys[i];                        if (getkeys == "__VIEWSTATE") continue;                        if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Cookies[getkeys].Value,"cookie"))                        {                            System.Web.HttpContext.Current.Response.Redirect("~/Error.aspx?path=" + System.Web.HttpContext.Current.Request.Url.PathAndQuery);                        }                    }                }            }            catch            {            }        }        /// <summary>        /// 分析使用者請求是否正常        /// </summary>        /// <param name="Str">傳入使用者提交資料 </param>        /// <returns>返回是否含有SQL注入式攻擊代碼 </returns>        public static bool ProcessSqlStr(string Str,string type)        {            bool ReturnValue = true;            try            {                if (Str.Trim() != "")                {                    //string SqlStr = "and ¦exec ¦insert ¦select ¦delete ¦update ¦count ¦* ¦chr ¦mid ¦master ¦truncate ¦char ¦declare";/¦%2F                    // string SqlStr = "iframe|xp_loginconfig|xp_fixeddrives|Xp_regremovemultistring|Xp_regread|Xp_regwrite|xp_cmdshell|xp_dirtree|count(|*|asc(|chr(|substring(|mid(|master|truncate|char(|declare|and|or|=|%|replace(|;|varchar(|cast exec¦insert¦select¦delete¦update¦mid¦master¦truncate¦declare¦script¦‘¦%27¦(¦%28¦)¦%29¦+¦%2B¦-¦%2D¦¦;¦%3B¦<¦%3C¦=¦%3D¦>¦%3E¦|¦%7C";                    string SqlStr = string.Empty;                    if(type.Equals("post"))                        SqlStr = "%5C¦\\¦.jsp¦iframe¦xp_loginconfig¦xp_fixeddrives¦Xp_regremovemultistring¦Xp_regread¦Xp_regwrite¦xp_cmdshell¦xp_dirtree¦count(¦*¦asc(¦chr(¦substring(¦mid(¦master¦truncate¦char(¦declare¦ and ¦ or ¦replace(¦;¦varchar(¦cast¦exec ¦insert ¦select ¦delete ¦update ¦mid¦master ¦truncate ¦declare ¦script¦alert¦%27¦(¦%28¦)¦%29¦‘¦+¦%2B¦%2D¦;¦%3B¦<¦%3C¦%3D¦>¦%3E¦%7C";                    else                        SqlStr = "%5C¦\\¦.jsp¦iframe¦xp_loginconfig¦xp_fixeddrives¦Xp_regremovemultistring¦Xp_regread¦Xp_regwrite¦xp_cmdshell¦xp_dirtree¦count(¦*¦asc(¦chr(¦substring(¦mid(¦master¦truncate¦char(¦declare¦ and ¦ or ¦replace(¦;¦varchar(¦cast¦exec ¦insert ¦select ¦delete ¦update ¦mid¦master ¦truncate ¦declare ¦script¦alert¦%27¦(¦%28¦)¦%29¦+¦%2B¦%2D¦;¦%3B¦<¦%3C¦%3D¦>¦%3E¦%7C";                    string[] anySqlStr = SqlStr.Split(‘¦‘);                    foreach (string ss in anySqlStr)                    {                        if (Str.ToLower().IndexOf(ss) >= 0)                        {                            ReturnValue = false;                            break;                        }                    }                }            }            catch            {                ReturnValue = false;            }            return ReturnValue;        }        #endregion    }
/// <summary>    /// 過濾非法字元    /// </summary>    public class CheckCharPage : System.Web.UI.Page    {        protected override void OnPreLoad(EventArgs e)        {            CheckChar.StartProcessRequest();        }    }

asp.net解決SQL注入代碼

相關文章

聯繫我們

該頁面正文內容均來源於網絡整理,並不代表阿里雲官方的觀點,該頁面所提到的產品和服務也與阿里云無關,如果該頁面內容對您造成了困擾,歡迎寫郵件給我們,收到郵件我們將在5個工作日內處理。

如果您發現本社區中有涉嫌抄襲的內容,歡迎發送郵件至: info-contact@alibabacloud.com 進行舉報並提供相關證據,工作人員會在 5 個工作天內聯絡您,一經查實,本站將立刻刪除涉嫌侵權內容。

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.