Global.asax sql防注入

来源：互联网发布：erp数据库设计编辑：程序博客网时间：2024/05/01 00:42

可能不大专业我觉得如果用参数化查询的话应该能有效的避免注入攻击吧

传说中的sql注入攻击
string sql = "SELECT * FROM 表名 WHERE [Name] = '" + "' or 1=1;DROP TABLE ... --" + "'";

=---------------------在Global.asax文件中添加---------------

void Application_Beginrequest(object sender, EventArgs e)
{
    StartProcessRequest();
}

#region SQL注入式攻击代码分析
        /// <summary>
        /// 处理用户提交的请求
        /// </summary>
        private void StartProcessRequest()
        {
            try
            {
                string getkeys = "";

                if (System.Web.HttpContext.Current.Request.QueryString != null)
                {

                    for (int i = 0; i < System.Web.HttpContext.Current.Request.QueryString.Count; i++)
                    {
                        getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys[i];
                        if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys]))
                        {
                            System.Web.HttpContext.Current.Response.Write("<h3>不能包含执行语句</h3>");
                            System.Web.HttpContext.Current.Response.End();
                        }
                    }
                }
                if (System.Web.HttpContext.Current.Request.Form != null)
                {
                    for (int i = 0; i < System.Web.HttpContext.Current.Request.Form.Count; i++)
                    {
                        getkeys = System.Web.HttpContext.Current.Request.Form.Keys[i];
                        if (getkeys == "__VIEWSTATE") continue;
                        if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys]))
                        {
                            jcFAQApp.FAQ_Util.Log.WriteMessage("<font color:red>注入攻击</red>", System.Web.HttpContext.Current.Request.UserHostAddress.ToString());
                            System.Web.HttpContext.Current.Response.Write("<h3>不能包含执行语句</h3>");
                            System.Web.HttpContext.Current.Response.End();
                        }
                    }
                }
            }
            catch
            {

            }
        }
        /// <summary>
        /// 分析用户请求是否正常
        /// </summary>
        /// <param name="Str">传入用户提交数据 </param>
        /// <returns>返回是否含有SQL注入式攻击代码 </returns>
        private bool ProcessSqlStr(string Str)
        {
            bool ReturnValue = true;
            try
            {
                if (Str.Trim() != "")
                {
                    //string SqlStr = "and ¦exec ¦insert ¦select ¦delete ¦update ¦count ¦* ¦chr ¦mid ¦master ¦truncate ¦char ¦declare";
                    string SqlStr = "exec ¦insert ¦select ¦delete ¦update ¦mid ¦master ¦truncate ¦declare";
                    string[] anySqlStr = SqlStr.Split('¦');
                    foreach (string ss in anySqlStr)
                    {
                        if (Str.ToLower().IndexOf(ss) >= 0)
                        {
                            ReturnValue = false;
                            break;
                        }
                    }
                }
            }
            catch
            {
                ReturnValue = false;
            }
            return ReturnValue;
        }
        #endregion