日期:2014-05-20  浏览次数:20916 次

ASP.NET 如何防注入
ASP.NET 如何防注入 有人说建个全局类,我自己用替换字符串的型式被注入了!最好提供些代码出来用。帮我解决问题给多20分也没关系!或加我QQ:547789678

------解决方案--------------------
http://hi.baidu.com/simliving/blog/item/df62172441eade32c995597b.html
看看这个是不是管用
------解决方案--------------------
C# code
using System;
using System.Collections.Generic;
using System.Text;
using System.Web;
namespace ProcessSqlInjection
{
    public class SqlFilterHttpModule : IHttpModule
    {
        HttpApplication app = null;
        string[] blacklist = { "and", "exec", "insert", "select", "delete", "update", "chr", "mid", "master", "or", "truncate", "char", "declare", "join", "cmd" };
        #region IHttpModule Members

        public void Dispose()
        {
           
        }

        public void Init(HttpApplication context)
        {
            context.BeginRequest += new EventHandler(context_BeginRequest);
        }
        #endregion

        void context_BeginRequest(object sender, EventArgs e)
        {
            app = sender as HttpApplication;
            ProcessSqlInjection();
        }

        void ProcessSqlInjection()
        {
            HttpRequest request = app.Context.Request;
            foreach (string i in request.Form)
            {
                if (i == "__VIEWSTATE" || i=="__EVENTVALIDATION") continue;
                goErr(request.Form[i]);
            }

            foreach (string i in request.QueryString)
            {
                goErr(request.QueryString[i]);
            }

            foreach (string i in request.Cookies)
            {
                goErr(request.Cookies[i].Value);
            }
        }
        /// <summary> 
        ///Sql Injection Filter
        /// </summary> 
        /// <param name="InText">To filter the string</param> 
        /// <returns>If the parameters of the existence of unsafe characters return true.</returns> 
        public bool SqlFilter(string inText)
        {
            foreach (string i in blacklist)
                if (inText.IndexOf(i + " ", StringComparison.OrdinalIgnoreCase) > -1)
                    return true;
            return false;
        }
        /// <summary> 
        /// Check parameters of the existence of SQL characters
        /// </summary> 
        /// <param name="tm"> </param> 
        void goErr(string tm)
        {
            if (SqlFilter(tm))
            {
                HttpResponse response = app.Context.Response;
                throw new ArgumentException("You enter the wrong data parameters!");
            }
        }

    }
}

------解决方案--------------------
void Application_BeginRequest(Object sender, EventArgs e)
{
StartProcessRequest();

}

#region 
private void StartProcessRequest()
{
try
{
string getkeys = "";
string sqlErrorPage = "index.aspx";
if (System.Web.HttpContext.Current.Request.QueryString != null)
{

for (int i = 0; i < System.Web.HttpContext.Current.Request.QueryString.Count; i++)
{
getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys[i];
if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys]))
{
System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);
System.Web.HttpContext.Current.Response.End();
}
}