过滤网址和输入框中的特殊字符，防止sql注入

Posted 2020-11-14 AZRNG

1. using System;  
2. using System.Data;  
3. using System.Configuration;  
4. using System.Web;  
5. using System.Web.Security;  
6. using System.Web.UI;  
7. using System.Web.UI.htmlControls;  
8. using System.Web.UI.WebControls;  
9. using System.Web.UI.WebControls.WebParts;  
10.   
11. /// <summary>  
12. ///cedar 的摘要说明  
13. /// </summary>  
14. public class cedar:IHttpModule  
15. {  
16.     public cedar()  
17.     {  
18.         //  
19.         //TODO: 在此处添加构造函数逻辑  
20.         //  
21.     }  
22.     public void Dispose()  
23.     {  
24.   
25.     }  
26.   
27.     public void Init(HttpApplication application)  
28.     {  
29.         application.AcquireRequestState += new EventHandler(application_AcquireRequestState);  
30.     }  
31.     private void application_AcquireRequestState(object sender, EventArgs e)  
32.     {  
33.         HttpContext content = ((HttpApplication)sender).Context;  
34.         try  
35.         {  
36.             string sqlErrorPage = "default.html";//转到默认页面  
37.             string keyValue = string.Empty;  
38.             string requestUrl = content.Request.Path.ToString();  
39.             if (content.Request.QueryString != null)  
40.             {  
41.                 foreach (string val in content.Request.QueryString)  
42.                 {  
43.                    keyValue= content.Server.UrlDecode(content.Request.QueryString[val]);  
44.                    if (!processSqlStr(keyValue))  
45.                    {  
46.                        content.Response.Write("您访问的页面发生错误，此问题我们已经记录并尽快改善，请稍后再试。<br><a href=""+sqlErrorPage+"" mce_href=""+sqlErrorPage+"">转到首页</a>");  
47.                        content.Response.End();  
48.                        break;  
49.                    }  
50.                 }  
51.             }  
52.             if (content.Request.Form != null)  
53.             {  
54.                 foreach(string val in content.Request.Form)  
55.                 {  
56.                     keyValue = content.Server.HtmlDecode(content.Request.Form[val]);  
57.                     if (keyValue == "_ViEWSTATE") continue;  
58.                     if (!processSqlStr(keyValue))  
59.                     {  
60.                         content.Response.Write("您访问的页面发生错误，此问题我们已经记录并尽快改善，请稍后再试。");  
61.                         content.Response.End();  
62.                         break;  
63.                     }  
64.                 }  
65.             }  
66.         }  
67.         catch (Exception ex)  
68.         {  
69.         }  
70.     }  
71.     private bool processSqlStr(string str)  
72.     {  
73.         bool returnValue = true;  
74.         try  
75.         {  
76.             if (str.Trim() != "")  
77.             {  
78.                 //取得webconfig中过滤字符串  
79.                 string sqlStr = ConfigurationManager.AppSettings["FilterSql"].Trim();  
80.                 //string sqlStr = "declare |exec|varchar |cursor |begin |open |drop |creat |select |truncate";  
81.                 string[] sqlStrs = sqlStr.Split(‘|‘);  
82.                 foreach (string ss in sqlStrs)  
83.                 {  
84.                     if (str.ToLower().IndexOf(ss) >= 0)  
85.                     {  
86.                         sqlStr = ss;  
87.                         returnValue = false;  
88.                         break;  
89.                     }  
90.                 }  
91.             }  
92.         }  
93.         catch  
94.         {  
95.             returnValue = false;  
96.         }  
97.         return returnValue;  
98.     }  
99. }  

100. 在web.config中添加以下：

     <appSettings>
       <add key="FilterSql" value="declare |exec|varchar |cursor |begin |open |drop |creat |select |truncate "/>
      </appSettings>

     <httpModules>
        <add type="cedar" name="cedar"/>
       </httpModules>