asp.net程序防止sql注入

以下是一个.net程序防止sql注入的方法，方式一如下：将下面的代码加入到Global.asax文件中：
   

    ///<summary>

    ///防止SQL注入

    ///</summary>

    ///<param name="sender"></param>

    ///<param name="e"></param>

    void Application_BeginRequest(Object sender,EventArgs e)

    {

        StartProcessRequest();

 

    }

#region SQL注入式攻击代码分析

    ///<summary>

    ///处理用户提交的请求

    ///</summary>

    privatevoid StartProcessRequest()

    {

        try

        {

            string getkeys = "";

            string sqlErrorPage = "error.aspx";//转向的错误提示页面

            if (System.Web.HttpContext.Current.Request.QueryString !=null)

            {

 

                for (int i = 0; i < System.Web.HttpContext.Current.Request.QueryString.Count; i++)

                {

                    getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys[i];

                    if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys]))

                    {

                        System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);

                        System.Web.HttpContext.Current.Response.End();

                    }

                }

            }

            if (System.Web.HttpContext.Current.Request.Form !=null)

            {

                for (int i = 0; i < System.Web.HttpContext.Current.Request.Form.Count; i++)

                {

                    getkeys = System.Web.HttpContext.Current.Request.Form.Keys[i];

                    if (getkeys == "__VIEWSTATE") continue;

                    if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys]))

                    {

                        System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);

                        System.Web.HttpContext.Current.Response.End();

                    }

                }

           }

        }

        catch

        {

            // 错误处理: 处理用户提交信息!

        }

    }

    ///<summary>

    ///分析用户请求是否正常

    ///</summary>

    ///<param name="Str">传入用户提交数据</param>

    ///<returns>返回是否含有SQL注入式攻击代码</returns>

    privatebool ProcessSqlStr(string Str)

    {

        bool ReturnValue =true;

        try

        {

            if (Str.Trim() != "")

            {

                string SqlStr = "and .exec .insert .select .delete .update .count .* .chr .mid .master .truncate .char .declare";

 

                string[] anySqlStr = SqlStr.Split('.');

                foreach (string ss in anySqlStr)

                {

                    if (Str.ToLower().IndexOf(ss) >= 0)

                    {

                        ReturnValue =false;

                        break;

                    }

                }

            }

        }

        catch

        {

            ReturnValue = false;

        }

        return ReturnValue;

    }

    #endregion

方法二如下：在App_Code文件夹中加一个类SqlZr.cs 其内容如下

 

publicclass SqlZr

{

     public SqlZr()

     {

         //

         // TODO: 在此处添加构造函数逻辑

         //

     }

    publicstatic string DelSQLStr(string str)

    {

        if (str ==null || str == "")

            return "";

        str = str.Replace(";","");

        str = str.Replace("'","");

        str = str.Replace("&","");

        str = str.Replace("%20","");

        str = str.Replace("--","");

        str = str.Replace("==","");

        str = str.Replace("<","");

        str = str.Replace(">","");

        str = str.Replace("%","");

        str = str.Replace("+","");

        str = str.Replace("-","");

        str = str.Replace("=","");

        str = str.Replace(",","");

        return str;

    }

}

 

再将所有项目中的Request.QueryString["id"]改为：

SqlZr.DelSQLStr(Request.QueryString["id"])即可。