一招搞定SQL注入攻击

在Global.asax中加入以下语句就可以了

 void Application_BeginRequest(Object sender, EventArgs e)
    {
        StartProcessRequest();

    }

   
     #region SQL注入式攻击代码分析
    ///  <summary>
    /// 处理用户提交的请求
    ///  </summary>
    private void StartProcessRequest()
    {
        try
        {
            string getkeys = "";
            string sqlErrorPage = "~/default.aspx";//转向的错误提示页面
            if (System.Web.HttpContext.Current.Request.QueryString != null)
            {

                for (int i = 0; i  < System.Web.HttpContext.Current.Request.QueryString.Count; i++)
                {
                    getkeys = System.Web.HttpContext.Current.Request.QueryString.KeysIdea [I];
                    if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys]))
                    {
                        System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);
                        System.Web.HttpContext.Current.Response.End();
                    }
                }
            }
            if (System.Web.HttpContext.Current.Request.Form != null)
            {
                for (int i = 0; i  < System.Web.HttpContext.Current.Request.Form.Count; i++)
                {
                    getkeys = System.Web.HttpContext.Current.Request.Form.KeysIdea [I];
                    if (getkeys == "__VIEWSTATE") continue;
                    if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys]))
                    {
                        System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);
                        System.Web.HttpContext.Current.Response.End();
                    }
                }
            }
        }
        catch
        {
            // 错误处理: 处理用户提交信息!
        }
    }
    ///  <summary>
    /// 分析用户请求是否正常
    ///  </summary>
    ///  <param name="Str">传入用户提交数据 </param>
    ///  <returns>返回是否含有SQL注入式攻击代码 </returns>
    private bool ProcessSqlStr(string Str)
    {
        bool ReturnValue = true;
        try
        {
            if (Str.Trim() != "")
            {
                string SqlStr = "and ¦exec ¦insert ¦select ¦delete ¦update ¦count ¦* ¦chr ¦mid ¦master ¦truncate ¦char ¦declare¦drop";

                string[] anySqlStr = SqlStr.Split('¦');
                foreach (string ss in anySqlStr)
                {
                    if (Str.ToLower().IndexOf(ss) >= 0)
                    {
                        ReturnValue = false;
                        break;
                    }
                }
            }
        }
        catch
        {
            ReturnValue = false;
        }
        return ReturnValue;
    }
    #endregion

 

 

 

 

基于HttpModule的做法如下:

using System;
using System.Data;
using System.Configuration;
using System.Linq;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Xml.Linq;

namespace Sample
{
    public class SampleSqlInjectionScreeningModuleCS : IHttpModule
    {
        //Defines the set of characters that will be checked.
        //You can add to this list, or remove items from this list, as appropriate for your site
        public static string[] blackList = {"--",";--",";","/*","*/","@@","@",
                                           "char","nchar","varchar","nvarchar",
                                           "alter","begin","cast","create","cursor","declare","delete","drop","end","exec","execute",
                                           "fetch","insert","kill","open",
                                           "select", "sys","sysobjects","syscolumns",
                                           "table","update"};

        public void Dispose() { 
            //no-op 
        }

        //Tells ASP.NET that there is code to run during BeginRequest
        public void Init(HttpApplication app)
        {
           app.BeginRequest += new EventHandler(app_BeginRequest);
        }

        //For each incoming request, check the query-string, form and cookie values for suspicious values.
        void  app_BeginRequest(object sender, EventArgs e)
        {
            HttpRequest Request = (sender as HttpApplication).Context.Request;

            foreach (string key in Request.QueryString)
                CheckInput(Request.QueryString[key]);
            foreach (string key in Request.Form)
                CheckInput(Request.Form[key]);
            foreach (string key in Request.Cookies)
                CheckInput(Request.Cookies[key].Value);        
        }

        //The utility method that performs the blacklist comparisons
        //You can change the error handling, and error redirect location to whatever makes sense for your site.
        private void CheckInput(string parameter)
        {
            for (int i = 0; i < blackList.Length; i++)
            {
                if ((parameter.IndexOf(blackListIdea [I], StringComparison.OrdinalIgnoreCase) >= 0))
                {
                    //
                    //Handle the discovery of suspicious Sql characters here
                    //
                    HttpContext.Current.Response.Redirect("~/Error.aspx");  //generic error page on your site
                }
            }
        }

    }
}
 
web.config设置如下:
 
<system.web>
     …
     <httpModules>
          …
          <add name="SampleSqlInjectionScreeningModuleCS" type="Sample.SampleSqlInjectionScreeningModuleCS"/>
          …
     </httpModules>
     …
</system.web>
 
 
 
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值