码迷,mamicode.com
首页 > 数据库 > 详细

asp.net解决SQL注入代码

时间:2015-03-20 16:14:40      阅读:256      评论:0      收藏:0      [点我收藏+]

标签:

public static class CheckChar
    {
        #region SQL注入式攻击代码分析
        /// <summary>
        /// 处理用户提交的请求
        /// </summary>
        public static void StartProcessRequest()
        {
            try
            {
                string getkeys = "";
                //防止GET注入
                if (System.Web.HttpContext.Current.Request.QueryString != null)
                {
                    if (System.Web.HttpContext.Current.Request.QueryString.Count == 0)
                    {
                        string url = "";
                        if (System.Web.HttpContext.Current.Request.UrlReferrer != null)
                        {
                            url = System.Web.HttpContext.Current.Request.UrlReferrer.ToString();
                        }
                        if (url.Length > 0)
                        {
                            url = url.Substring(url.IndexOf(?) + 1, url.Length - url.IndexOf(?) - 1);
                        }
                        if (!ProcessSqlStr(url,"get"))
                        {
                            // System.Web.HttpContext.Current.Response.Write("<h3>不能包含执行语句</h3>");
                            // System.Web.HttpContext.Current.Response.End();
                            System.Web.HttpContext.Current.Response.Redirect("~/Error.aspx?path=" + System.Web.HttpContext.Current.Request.Url.PathAndQuery);
                        }
                    }
                    else
                    {
                        for (int i = 0; i < System.Web.HttpContext.Current.Request.QueryString.Count; i++)
                        {
                            getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys[i];
                            if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys],"get"))
                            {
                                System.Web.HttpContext.Current.Response.Redirect("~/Error.aspx?path=" + System.Web.HttpContext.Current.Request.Url.PathAndQuery);
                            }
                        }
                    }
                }
                //防止POST注入
                if (System.Web.HttpContext.Current.Request.Form != null)
                {
                    for (int i = 0; i < System.Web.HttpContext.Current.Request.Form.Count; i++)
                    {
                        getkeys = System.Web.HttpContext.Current.Request.Form.Keys[i];
                        if (getkeys == "__VIEWSTATE" || getkeys == "__EVENTVALIDATION") continue;
                        if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys],"post"))
                        {
                            System.Web.HttpContext.Current.Response.Redirect("~/Error.aspx?path=" + System.Web.HttpContext.Current.Request.Url.PathAndQuery);
                        }
                    }
                }
                //防止COOKITS注入
                if (System.Web.HttpContext.Current.Request.Cookies != null)
                {
                    for (int i = 0; i < System.Web.HttpContext.Current.Request.Cookies.Count; i++)
                    {
                        getkeys = System.Web.HttpContext.Current.Request.Cookies.Keys[i];
                        if (getkeys == "__VIEWSTATE") continue;
                        if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Cookies[getkeys].Value,"cookie"))
                        {
                            System.Web.HttpContext.Current.Response.Redirect("~/Error.aspx?path=" + System.Web.HttpContext.Current.Request.Url.PathAndQuery);
                        }
                    }
                }
            }
            catch
            {

            }
        }
        /// <summary>
        /// 分析用户请求是否正常
        /// </summary>
        /// <param name="Str">传入用户提交数据 </param>
        /// <returns>返回是否含有SQL注入式攻击代码 </returns>
        public static bool ProcessSqlStr(string Str,string type)
        {
            bool ReturnValue = true;
            try
            {
                if (Str.Trim() != "")
                {
                    //string SqlStr = "and ¦exec ¦insert ¦select ¦delete ¦update ¦count ¦* ¦chr ¦mid ¦master ¦truncate ¦char ¦declare";/¦%2F
                    // string SqlStr = "iframe|xp_loginconfig|xp_fixeddrives|Xp_regremovemultistring|Xp_regread|Xp_regwrite|xp_cmdshell|xp_dirtree|count(|*|asc(|chr(|substring(|mid(|master|truncate|char(|declare|and|or|=|%|replace(|;|varchar(|cast exec¦insert¦select¦delete¦update¦mid¦master¦truncate¦declare¦script¦‘¦%27¦(¦%28¦)¦%29¦+¦%2B¦-¦%2D¦¦;¦%3B¦<¦%3C¦=¦%3D¦>¦%3E¦|¦%7C";
                    string SqlStr = string.Empty;
                    if(type.Equals("post"))
                        SqlStr = "%5C¦\\¦.jsp¦iframe¦xp_loginconfig¦xp_fixeddrives¦Xp_regremovemultistring¦Xp_regread¦Xp_regwrite¦xp_cmdshell¦xp_dirtree¦count(¦*¦asc(¦chr(¦substring(¦mid(¦master¦truncate¦char(¦declare¦ and ¦ or ¦replace(¦;¦varchar(¦cast¦exec ¦insert ¦select ¦delete ¦update ¦mid¦master ¦truncate ¦declare ¦script¦alert¦%27¦(¦%28¦)¦%29¦‘¦+¦%2B¦%2D¦;¦%3B¦<¦%3C¦%3D¦>¦%3E¦%7C";
                    else
                        SqlStr = "%5C¦\\¦.jsp¦iframe¦xp_loginconfig¦xp_fixeddrives¦Xp_regremovemultistring¦Xp_regread¦Xp_regwrite¦xp_cmdshell¦xp_dirtree¦count(¦*¦asc(¦chr(¦substring(¦mid(¦master¦truncate¦char(¦declare¦ and ¦ or ¦replace(¦;¦varchar(¦cast¦exec ¦insert ¦select ¦delete ¦update ¦mid¦master ¦truncate ¦declare ¦script¦alert¦%27¦(¦%28¦)¦%29¦+¦%2B¦%2D¦;¦%3B¦<¦%3C¦%3D¦>¦%3E¦%7C";

                    string[] anySqlStr = SqlStr.Split(¦);
                    foreach (string ss in anySqlStr)
                    {
                        if (Str.ToLower().IndexOf(ss) >= 0)
                        {
                            ReturnValue = false;
                            break;
                        }
                    }
                }
            }
            catch
            {
                ReturnValue = false;
            }
            return ReturnValue;
        }
        #endregion
    }
/// <summary>
    /// 过滤非法字符
    /// </summary>
    public class CheckCharPage : System.Web.UI.Page
    {
        protected override void OnPreLoad(EventArgs e)
        {
            CheckChar.StartProcessRequest();
        }
    }

asp.net解决SQL注入代码

标签:

原文地址:http://www.cnblogs.com/kyo66691/p/4353492.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!