在Global.asax中加入以下语句就可以了
void Application_BeginRequest(Object sender, EventArgs e)
{
StartProcessRequest();
}
#region SQL注入式攻击代码分析
/// <summary>
/// 处理用户提交的请求
/// </summary>
private void StartProcessRequest()
{
try
{
string getkeys = "";
string sqlErrorPage = "~/default.aspx";//转向的错误提示页面
if (System.Web.HttpContext.Current.Request.QueryString != null)
{
for (int i = 0; i < System.Web.HttpContext.Current.Request.QueryString.Count; i++)
{
getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys;
if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys]))
{
System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);
System.Web.HttpContext.Current.Response.End();
}
}
}
if (System.Web.HttpContext.Current.Request.Form != null)
{
for (int i = 0; i < System.Web.HttpContext.Current.Request.Form.Count; i++)
{
getkeys = System.Web.HttpContext.Current.Request.Form.Keys;
if (getkeys == "__VIEWSTATE") continue;
if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys]))
{
System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);
System.Web.HttpContext.Current.Response.End();
}
}
}
}
catch
{
// 错误处理: 处理用户提交信息!
}
}
/// <summary>
/// 分析用户请求是否正常
/// </summary>
/// <param name="Str">传入用户提交数据 </param>
/// <returns>返回是否含有SQL注入式攻击代码 </returns>
private bool ProcessSqlStr(string Str)
{
bool ReturnValue = true;
try
{
if (Str.Trim() != "")
{
string SqlStr = "and ¦exec ¦insert ¦select ¦delete ¦update ¦count ¦* ¦chr ¦mid ¦master ¦truncate ¦char ¦declare¦drop";
string[] anySqlStr = SqlStr.Split('¦');
foreach (string ss in anySqlStr)
{
if (Str.ToLower().IndexOf(ss) >= 0)
{
ReturnValue = false;
break;
}
}
}
}
catch
{
ReturnValue = false;
}
return ReturnValue;
}
#endregion
基于HttpModule的做法如下:
using System; using System.Data; using System.Configuration; using System.Linq; using System.Web; using System.Web.Security; using System.Web.UI; using System.Web.UI.HtmlControls; using System.Web.UI.WebControls; using System.Web.UI.WebControls.WebParts; using System.Xml.Linq; namespace Sample { public class SampleSqlInjectionScreeningModuleCS : IHttpModule {//Defines the set of characters that will be checked. //You can add to this list, or remove items from this list, as appropriate for your site public static string[] blackList = {"--",";--",";","/*","*/","@@","@", "char","nchar","varchar","nvarchar", "alter","begin","cast","create","cursor","declare","delete","drop","end","exec","execute", "fetch","insert","kill","open", "select", "sys","sysobjects","syscolumns", "table","update"}; public void Dispose() { //no-op } //Tells ASP.NET that there is code to run during BeginRequest public void Init(HttpApplication app) { app.BeginRequest += new EventHandler(app_BeginRequest); } //For each incoming request, check the query-string, form and cookie values for suspicious values. void app_BeginRequest(object sender, EventArgs e) { HttpRequest Request = (sender as HttpApplication).Context.Request; foreach (string key in Request.QueryString) CheckInput(Request.QueryString[key]); foreach (string key in Request.Form) CheckInput(Request.Form[key]); foreach (string key in Request.Cookies) CheckInput(Request.Cookies[key].Value); } //The utility method that performs the blacklist comparisons //You can change the error handling, and error redirect location to whatever makes sense for your site. private void CheckInput(string parameter) { for (int i = 0; i < blackList.Length; i++) { if ((parameter.IndexOf(blackList, StringComparison.OrdinalIgnoreCase) >= 0)) { // //Handle the discovery of suspicious Sql characters here // HttpContext.Current.Response.Redirect("~/Error.aspx"); //generic error page on your site } } } } }
web.config设置如下:<system.web> … <httpModules> … <add name="SampleSqlInjectionScreeningModuleCS" type="Sample.SampleSqlInjectionScreeningModuleCS"/> … </httpModules> … </system.web>