sql注入 学习

 今天在网上转，看到这样一个帖子，记录一下：

1、不要直接拼sql改为传参形式或者用存储过程

 string sql = "select * from InfoContent where id=@id";

2、在Global.asax文件中加入如下方法即可：
#region SQL注入式攻击代码分析
        /// <summary>
        /// 处理用户提交的请求
        /// </summary>
        private void StartProcessRequest()
        {
            try
            {
                string getkeys = "";

                if (System.Web.HttpContext.Current.Request.QueryString != null)
                {

                    for (int i = 0; i <

System.Web.HttpContext.Current.Request.QueryString.Count; i++)
                    {
                        getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys

[i];
                        if (!ProcessSqlStr

(System.Web.HttpContext.Current.Request.QueryString[getkeys]))
                        {
                            System.Web.HttpContext.Current.Response.Write(" <h3>不能包含执行

语句 </h3>");
                            System.Web.HttpContext.Current.Response.End();
                        }
                    }
                }
                if (System.Web.HttpContext.Current.Request.Form != null)
                {
                    for (int i = 0; i < System.Web.HttpContext.Current.Request.Form.Count;

i++)
                    {
                        getkeys = System.Web.HttpContext.Current.Request.Form.Keys[i];
                        if (getkeys == "__VIEWSTATE") continue;
                        if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form

[getkeys]))
                        {
                            jcFAQApp.FAQ_Util.Log.WriteMessage(" <font color:red>注入攻击

</red>", System.Web.HttpContext.Current.Request.UserHostAddress.ToString());
                            System.Web.HttpContext.Current.Response.Write(" <h3>不能包含执行

语句 </h3>");
                            System.Web.HttpContext.Current.Response.End();
                        }
                    }
                }
            }
            catch
            {

            }
        }
        /// <summary>
        /// 分析用户请求是否正常
        /// </summary>
        /// <param name="Str">传入用户提交数据 </param>
        /// <returns>返回是否含有SQL注入式攻击代码 </returns>
        private bool ProcessSqlStr(string Str)
        {
            bool ReturnValue = true;
            try
            {
                if (Str.Trim() != "")
                {
                    //string SqlStr = "and ¦exec ¦insert ¦select ¦delete ¦update ¦count ¦*

¦chr ¦mid ¦master ¦truncate ¦char ¦declare";
                    string SqlStr = "exec ¦insert ¦select ¦delete ¦update ¦mid ¦master

¦truncate ¦declare";
                    string[] anySqlStr = SqlStr.Split('¦');
                    foreach (string ss in anySqlStr)
                    {
                        if (Str.ToLower().IndexOf(ss) >= 0)
                        {
                            ReturnValue = false;
                            break;
                        }
                    }
                }
            }
            catch
            {
                ReturnValue = false;
            }
            return ReturnValue;
        }
        #endregion
3、屏蔽某些sql关键字
      给sql运行账户最小的权限,千万不要sysadmin

     应用程序使用的去连接数据库的帐户应该只拥有必须的特权，这样有助于保护整个系统尽可能少的

受到入侵者的危害。应用程序不应该用SA或者管理员帐户去连接数据库。作为替代，它应该只有访问它要

调用的单个库的权力。

4、禁止使用系统存储过程，过滤数据库操作关键字，
      或者操作sql都写到数据库中用存储过程

5、C# Code

   /// <summary>
    /// 自己封装的Request 可以在其中进行一些操作
    /// </summary>
    /// <param name="str"></param>
    /// <returns></returns>
    public static string BbnRequest(string str)
    {
        if (System.Web.HttpContext.Current.Request.HttpMethod == "GET")
        {
            string value = System.Web.HttpContext.Current.Request[str];

            if (value == null)
            {
                return null;
            }

            string pattern = @"'|xp_cmdshell|/add|exec|%

|select|count|insert|delete|drop|update|truncate|or|and|\*|@|master|char|declare|join";
            bool bl = Regex.IsMatch(value, pattern, RegexOptions.IgnoreCase);
            if (bl)
            {
                string clientIp = WbfTools.BLL.Utils.GetIP();
                string clientURL = System.Web.HttpContext.Current.Request.Url.ToString();
                string serverParch = System.Web.HttpContext.Current.Server.MapPath("~/");
                //写日志
                StreamWriter sw = File.AppendText(serverParch + "\\sqlin.txt");
                sw.WriteLine("IP:" + clientIp + "   URL:" + clientURL + "   DateTime:" +

DateTime.Now.ToString());
                sw.Flush();
                sw.Close();
                sw.Dispose();

                System.Web.HttpContext.Current.Response.Write("希望您只是来做俯卧撑的！！！

<br />");
                System.Web.HttpContext.Current.Response.Write(clientIp);
                System.Web.HttpContext.Current.Response.End();
                return "";
            }
            else
            {
                return value;
            }
        }
        else
        {
            string value = System.Web.HttpContext.Current.Request[str];
            value = Regex.Replace(value, "<", "&gt;", RegexOptions.IgnoreCase);
            value = Regex.Replace(value, ">", "&lt;", RegexOptions.IgnoreCase);
            value = Regex.Replace(value, "xp_cmdshell", "<span>xp_cmdshell</span>",

RegexOptions.IgnoreCase);
            value = Regex.Replace(value, "/add", "<span>/add</span>",

RegexOptions.IgnoreCase);
            value = Regex.Replace(value, "%", "<span>%</span>", RegexOptions.IgnoreCase);
            value = Regex.Replace(value, "select", "<span>select</span>",

RegexOptions.IgnoreCase);
            value = Regex.Replace(value, "count", "<span>count</span>",

RegexOptions.IgnoreCase);
            value = Regex.Replace(value, "'", "\"", RegexOptions.IgnoreCase);
            value = Regex.Replace(value, "insert", "<span>insert</span>",

RegexOptions.IgnoreCase);
            value = Regex.Replace(value, "delete", "<span>delete</span>",

RegexOptions.IgnoreCase);
            value = Regex.Replace(value, "drop", "<span>drop</span>",

RegexOptions.IgnoreCase);
            value = Regex.Replace(value, "update", "<span>update</span>",

RegexOptions.IgnoreCase);
            value = Regex.Replace(value, "truncate", "<span>truncate</span>",

RegexOptions.IgnoreCase);
            value = Regex.Replace(value, "iframe", "<span>iframe</span>",

RegexOptions.IgnoreCase);
            value = Regex.Replace(value, "or", "<span>or</span>", RegexOptions.IgnoreCase);
            value = Regex.Replace(value, "and", "<span>and</span>",

RegexOptions.IgnoreCase);
            value = Regex.Replace(value, "@", "<span>@</span>", RegexOptions.IgnoreCase);
            value = Regex.Replace(value, "chr", "<span>chr</span>",

RegexOptions.IgnoreCase);
            value = Regex.Replace(value, "mid", "<span>mid</span>",

RegexOptions.IgnoreCase);
            value = Regex.Replace(value, "master", "<span>master</span>",

RegexOptions.IgnoreCase);
            value = Regex.Replace(value, "truncate", "<span>truncate</span>",

RegexOptions.IgnoreCase);
            value = Regex.Replace(value, "char", "<span>char</span>",

RegexOptions.IgnoreCase);
            value = Regex.Replace(value, "declare", "<span>declare</span>",

RegexOptions.IgnoreCase);
            value = Regex.Replace(value, "join", "<span>join</span>",

RegexOptions.IgnoreCase);
            return value;
        }
    }
6、两种办法，一种是在glob中加判断，上面已经有人接了，、
另外一种办法就是把访问数据的帐号的权限变小，
把对应数据库中的系统表syscolumns和sysobjects中的权限中的public的select权限去掉，因为大部份的

注入都是从系统表中找出你这个数据库中的大字段，然后再批量替换。所以不能他查系统表的权限就可以

较少很多风险。除非他清除你系统中的表结构。

 7、一个简单的例子：

     许多程序员在用sql语句进行用户密码验证时是通过一个类似这样的语句来实现的：
　　Sql="Select * from 用户表 where 姓名='"+name+"' and 密码='"+password+"'"
　　其中name和password是存放用户输入的用户名和口令，通过执行上述语句来验证用户和密码是否合法

有效。但是通过分析可以发现，上述语句却存在着致命的漏洞。当我们在用户名称中输入下面的字符串时

：111'or'1=1，然后口令随便输入，我们设为aaaa。变量代换后，sql语句就变成了下面的字符串：
　　Sql="Select * from 用户表 where 姓名='111'or'1=1' and 密码='aaaa'
　　我们都知道select语句在判断查询条件时，遇到或（or）操作就会忽略下面的与（and）操作，而在

上面的语句中1=1的值永远为true，这意味着无论在密码中输入什么值，均能通过上述的密码验证！这个

问题的解决很简单，方法也很多，最常用的是在执行验证之前，对用户输入的用户和密码进行合法性判断

，不允许输入单引号、等号等特殊字符。