Asp.net中Global.asax设置防止Sql注入

来源：互联网发布：电视网络接口怎么安装编辑：程序博客网时间：2024/05/16 04:47
using System;using System.IO;public partial class Global : System.Web.HttpApplication{    protected void Application_Start(object sender, EventArgs e)    {        //在应用程序启动时运行的代码    }    protected void Session_Start(object sender, EventArgs e)    {        //在新会话启动时运行的代码    }    protected void Application_BeginRequest(object sender, EventArgs e)    {        try        {            string getkeys = "";            //防止post方法注入            if (System.Web.HttpContext.Current.Request.Form != null)            {                for (int i = 0; i < System.Web.HttpContext.Current.Request.Form.Count; i++)                {                    getkeys = System.Web.HttpContext.Current.Request.Form.Keys[i];                    if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys], 1))                    {                        RecordeWrite();                        System.Web.HttpContext.Current.Response.Redirect("/Error/assault.htm");                        System.Web.HttpContext.Current.Response.End();                    }                }            }            //防止get方法注入            if (System.Web.HttpContext.Current.Request.QueryString != null)            {                for (int i = 0; i < System.Web.HttpContext.Current.Request.QueryString.Count; i++)                {                    getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys[i];                    if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys], 2))                    {                        RecordeWrite();                        System.Web.HttpContext.Current.Response.Redirect("/Error/assault.htm");                        System.Web.HttpContext.Current.Response.End();                    }                }            }            //防止cookie方法注入             if (System.Web.HttpContext.Current.Request.Cookies != null)            {                for (int i = 0; i < System.Web.HttpContext.Current.Request.Cookies.Count; i++)                {                    getkeys = System.Web.HttpContext.Current.Request.Cookies.AllKeys[i];                    if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Cookies[getkeys].Value, 3))                    {                        RecordeWrite();                        System.Web.HttpContext.Current.Response.Redirect("/Error/assault.htm");                        System.Web.HttpContext.Current.Response.End();                    }                }            }        }        catch        {        }    }    /// <summary>    /// 分析用户请求是否正常    /// </summary>    /// <param name="Str">传入用户提交数据</param>    /// <param name="type">注入的方式</param>    /// <returns>返回是否含有SQL注入式攻击代码</returns>    protected bool ProcessSqlStr(string Str, int type)    {        string SqlStr = "";        if (type == 1)  //Post方法提交        {            SqlStr = "script|iframe|xp_loginconfig|xp_fixeddrives|Xp_regremovemultistring|Xp_regread|Xp_regwrite|xp_cmdshell|xp_dirtree|exec|insert|select|delete|update|count(|asc(|chr(|substring(|mid(|master|truncate|char(|declare|replace(|varchar(|cast(";        }        else if (type == 2) //Get方法提交        {            SqlStr = "'|script|iframe|xp_loginconfig|xp_fixeddrives|Xp_regremovemultistring|Xp_regread|Xp_regwrite|xp_cmdshell|xp_dirtree|exec|insert|select|delete|update|count(|*|asc(|chr(|substring(|mid(|master|truncate|char(|declare|and|or|=|%|replace(|;|varchar(|cast(";        }        else if (type == 3) //Cookie提交        {            SqlStr = "script|iframe|xp_loginconfig|xp_fixeddrives|Xp_regremovemultistring|Xp_regread|Xp_regwrite|xp_cmdshell|xp_dirtree|exec|insert|select|delete|update|count(|asc(|chr(|substring(|mid(|master|truncate|char(|declare";        }        else  //默认Post方法提交        {            SqlStr = "script|iframe|xp_loginconfig|xp_fixeddrives|Xp_regremovemultistring|Xp_regread|Xp_regwrite|xp_cmdshell|xp_dirtree|exec|insert|select|delete|update|count(|asc(|chr(|substring(|mid(|master|truncate|char(|declare|replace(";        }        bool ReturnValue = true;        try        {            if (Str != "")            {                string[] anySqlStr = SqlStr.ToUpper().Split('|'); ;                foreach (string ss in anySqlStr)                {                    if (Str.ToUpper().IndexOf(ss) >= 0)                    {                        ReturnValue = false;                    }                }            }        }        catch        {            ReturnValue = false;        }        return ReturnValue;    }    /// <summary>    /// 记录攻击信息    /// </summary>    protected void RecordeWrite()    {        try        {            string path = "~/Error/Log/" + DateTime.Today.ToString("dd-mm-yy") + ".txt";            if (!System.IO.File.Exists(System.Web.HttpContext.Current.Server.MapPath(path)))            {                System.IO.File.Create(System.Web.HttpContext.Current.Server.MapPath(path)).Close();            }            using (StreamWriter w = System.IO.File.AppendText(System.Web.HttpContext.Current.Server.MapPath(path)))            {                w.WriteLine("当前时间：{0}", System.DateTime.Now.ToString());                w.WriteLine("当前IP：{0} ", System.Web.HttpContext.Current.Request.UserHostAddress);                w.WriteLine("当前Url：{0} ", System.Web.HttpContext.Current.Request.Url.ToString());                w.WriteLine("__________________________________");                w.Flush();                w.Close();            }        }        catch        {        }    }    protected void Application_AuthenticateRequest(object sender, EventArgs e)    {    }    protected void Application_Error(object sender, EventArgs e)    {    }    protected void Session_End(object sender, EventArgs e)    {        //在会话结束时运行的代码。         // 注意: 只有在 Web.config 文件中的 sessionstate 模式设置为        // InProc 时，才会引发 Session_End 事件。如果会话模式         //设置为 StateServer 或 SQLServer，则不会引发该事件。    }    protected void Application_End(object sender, EventArgs e)    {    }}
更多.net技术就在http://bbs.netluntan.com，群：121058751
0 0