防止SQL注入2

通过Global.asax过滤关键字方法一：protected void Application_BeginRequest(Object sender, EventArgs e)    {        //SQL防注入        string Sql_1 = "exec|insert+|select+|delete|update|count|chr|mid|master+|truncate|char|declare|drop+|drop+table|creat+|creat+table";        string Sql_2 = "exec+|insert+|delete+|update+|count(|count+|chr+|+mid(|+mid+|+master+|truncate+|char+|+char(|declare+|drop+|creat+|drop+table|creat+table";        string[] sql_c = Sql_1.Split('|');        string[] sql_c1 = Sql_2.Split('|');        if (Request.QueryString != null)        {            foreach (string sl in sql_c)            {                if (Request.QueryString.ToString().ToLower().IndexOf(sl.Trim()) >= 0)                {                    Response.Write("警告！你的IP已经被记录!");//                    Response.Write(sl);                    Response.Write(Request.QueryString.ToString());                    Response.End();                    break;                }            }        }        if (Request.Form.Count > 0)        {            string s1 = Request.ServerVariables["SERVER_NAME"].Trim();//服务器名称            if (Request.ServerVariables["HTTP_REFERER"] != null)            {                string s2 = Request.ServerVariables["HTTP_REFERER"].Trim();//http接收的名称                string s3 = "";                if (s1.Length > (s2.Length - 7))                {                    s3 = s2.Substring(7);                }                else                {                    s3 = s2.Substring(7, s1.Length);                }                if (s3 != s1)                {                    Response.Write("你的IP已被记录！警告！");//                    Response.End();                }            }        }    }        方法二：(比较好用)      /// <summary>    /// 当有数据时交时，触发事件    /// </summary>    /// <param name="sender"></param>    /// <param name="e"></param>    protected void Application_BeginRequest(Object sender, EventArgs e)    {        //遍历Post参数，隐藏域除外        foreach (string i in this.Request.Form)        {            if (i == "__VIEWSTATE") continue;            this.goErr(this.Request.Form[i].ToString());        }        //遍历Get参数。        foreach (string i in this.Request.QueryString)        {            this.goErr(this.Request.QueryString[i].ToString());         }    }    /// <summary>    ///SQL注入过滤    /// </summary>    /// <param name="InText">要过滤的字符串</param>    /// <returns>如果参数存在不安全字符，则返回true</returns>    public bool SqlFilter(string InText)    {        string word = "and|exec|insert|select|delete|update|chr|mid|master|or|truncate|char|declare|join|cmd|;|'|--";//这里加要过滤的SQL字符        if (InText == null)            return false;        foreach (string i in word.Split('|'))        {            if ((InText.ToLower().IndexOf(i + " ") > -1) || (InText.ToLower().IndexOf(" " + i) > -1))            {                return true;            }        }        return false;    }    /// <summary>    /// 校验参数是否存在SQL字符    /// </summary>    /// <param name="tm"></param>    private void goErr(string tm)    {        if (SqlFilter(tm))        {            Response.Write("<script>window.alert('参数存在不安全字符');"+"</"+"script>");        }    }