求一段具有SQL防注入检测的实例代码
求一段具有SQL防注入检测的实例代码
[解决办法]
以asp.net为例
在Global.asax中
/// <summary> /// /// </summary> /// <param name="sender"></param> /// <param name="e"></param> void Application_BeginRequest(object sender, EventArgs e) { this.StartProcessRequest(); } /// <summary> /// 处理用户提交的请求 /// </summary> private void StartProcessRequest() { try { string getkeys = ""; // 检测GET方法 if (System.Web.HttpContext.Current.Request.QueryString != null) { for (int i = 0; i < System.Web.HttpContext.Current.Request.QueryString.Count; i++) { getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys[i]; if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys])) { System.Web.HttpContext.Current.Response.End(); } } } // 检测POST方法 if (System.Web.HttpContext.Current.Request.Form != null) { for (int i = 0; i < System.Web.HttpContext.Current.Request.Form.Count; i++) { getkeys = System.Web.HttpContext.Current.Request.Form.Keys[i]; if (getkeys == "__VIEWSTATE") continue; if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys])) { System.Web.HttpContext.Current.Response.End(); } } } } catch { } } /// <summary> /// 分析用户请求是否正常 /// </summary> /// <param name="Str">传入用户提交数据 </param> /// <returns>返回是否含有SQL注入式攻击代码 </returns> private bool ProcessSqlStr(string Str) { bool ReturnValue = true; try { if (Str.Trim() != "") { string[] anySqlStr = new string[] { "truncate ", "declare ", "nvarchar(", "varchar(", "sysobjects" }; foreach (string ss in anySqlStr) { if (Str.ToLower().IndexOf(ss) >= 0) { ReturnValue = false; break; } } } } catch { ReturnValue = false; } return ReturnValue; }