/// <summary>
/// 在
Application_BeginRequest中加入函數StartProcessRequest()
/// </summary>
protected void Application_BeginRequest(Object sender, EventArgs
e)
{
StartProcessRequest();
}
#region
SQL注入式攻擊代碼分析
/// <summary>
/// 處理用戶提交的請求
/// </summary>
private void StartProcessRequest()
{
try
{
string getkeys =
"";
string sqlErrorPage = "/default.aspx";//如果有非法參數,轉向的錯誤提示頁面
if
(System.Web.HttpContext.Current.Request.QueryString != null)
{
for
(int i = 0; i < System.Web.HttpContext.Current.Request.QueryString.Count;
i++)
{
getkeys =
System.Web.HttpContext.Current.Request.QueryString.Keys[i];
if
(!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys]))
{
System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);
System.Web.HttpContext.Current.Response.End();
}
}
}
if
(System.Web.HttpContext.Current.Request.Form != null)
{
for (int i = 0;
i < System.Web.HttpContext.Current.Request.Form.Count; i++)
{
getkeys
= System.Web.HttpContext.Current.Request.Form.Keys[i];
if (getkeys ==
"__VIEWSTATE") continue;
if
(!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys]))
{
System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);
System.Web.HttpContext.Current.Response.End();
}
}
}
if
(System.Web.HttpContext.Current.Request.Cookies != null)
{
for (int i =
0; i < System.Web.HttpContext.Current.Request.Cookies.Count; i++)
{
getkeys = System.Web.HttpContext.Current.Request.Cookies.Keys[i];
if
(!ProcessSqlStr(System.Web.HttpContext.Current.Request.Cookies[getkeys].ToString()))
{
System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);
System.Web.HttpContext.Current.Response.End();
}
}
}
}
catch
{
// 錯誤處理: 處理用戶提交信息!
}
}
/// <summary>
/// 分析用戶請求是否正常
/// </summary>
/// <param
name="Str">傳入用戶提交數據 </param>
/// <returns>返回是否含有SQL注入式攻擊代碼
</returns>
private bool ProcessSqlStr(string Str)
{
bool
ReturnValue = true;
try
{
if (Str.Trim() != "")
{
string
SqlStr = "and |exec |insert |select |delete |update |count |* |chr |mid |master
|truncate |char |declare";
string[] anySqlStr = SqlStr.Split('|');
foreach (string ss in anySqlStr)
{
if (Str.ToLower().IndexOf(ss)
>= 0)
{
ReturnValue = false;
break;
}
}
}
}
catch
{
ReturnValue = false;
}
return ReturnValue;
}
#endregion
複製該程序到您的網站程序中的Global.asax.cs裏,重新編譯程序。
