ASP.NET 怎么防注入
日期:2014-05-20 浏览次数:20893 次
ASP.NET 如何防注入
ASP.NET 如何防注入 有人说建个全局类,我自己用替换字符串的型式被注入了!最好提供些代码出来用。帮我解决问题给多20分也没关系!或加我QQ:547789678
------解决方案--------------------
http://hi.baidu.com/simliving/blog/item/df62172441eade32c995597b.html
看看这个是不是管用
------解决方案--------------------
ASP.NET 如何防注入 有人说建个全局类,我自己用替换字符串的型式被注入了!最好提供些代码出来用。帮我解决问题给多20分也没关系!或加我QQ:547789678
------解决方案--------------------
http://hi.baidu.com/simliving/blog/item/df62172441eade32c995597b.html
看看这个是不是管用
------解决方案--------------------
- C# code
using System;
using System.Collections.Generic;
using System.Text;
using System.Web;
namespace ProcessSqlInjection
{
public class SqlFilterHttpModule : IHttpModule
{
HttpApplication app = null;
string[] blacklist = { "and", "exec", "insert", "select", "delete", "update", "chr", "mid", "master", "or", "truncate", "char", "declare", "join", "cmd" };
#region IHttpModule Members
public void Dispose()
{
}
public void Init(HttpApplication context)
{
context.BeginRequest += new EventHandler(context_BeginRequest);
}
#endregion
void context_BeginRequest(object sender, EventArgs e)
{
app = sender as HttpApplication;
ProcessSqlInjection();
}
void ProcessSqlInjection()
{
HttpRequest request = app.Context.Request;
foreach (string i in request.Form)
{
if (i == "__VIEWSTATE" || i=="__EVENTVALIDATION") continue;
goErr(request.Form[i]);
}
foreach (string i in request.QueryString)
{
goErr(request.QueryString[i]);
}
foreach (string i in request.Cookies)
{
goErr(request.Cookies[i].Value);
}
}
/// <summary>
///Sql Injection Filter
/// </summary>
/// <param name="InText">To filter the string</param>
/// <returns>If the parameters of the existence of unsafe characters return true.</returns>
public bool SqlFilter(string inText)
{
foreach (string i in blacklist)
if (inText.IndexOf(i + " ", StringComparison.OrdinalIgnoreCase) > -1)
return true;
return false;
}
/// <summary>
/// Check parameters of the existence of SQL characters
/// </summary>
/// <param name="tm"> </param>
void goErr(string tm)
{
if (SqlFilter(tm))
{
HttpResponse response = app.Context.Response;
throw new ArgumentException("You enter the wrong data parameters!");
}
}
}
}
------解决方案--------------------
void Application_BeginRequest(Object sender, EventArgs e)
{
StartProcessRequest();
}
#region
private void StartProcessRequest()
{
try
{
string getkeys = "";
string sqlErrorPage = "index.aspx";
if (System.Web.HttpContext.Current.Request.QueryString != null)
{
for (int i = 0; i < System.Web.HttpContext.Current.Request.QueryString.Count; i++)
{
getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys[i];
if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys]))
{
System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);
System.Web.HttpContext.Current.Response.End();
}
}
免责声明: 本文仅代表作者个人观点,与爱易网无关。其原创性以及文中陈述文字和内容未经本站证实,对本文以及其中全部或者部分内容、文字的真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
