富贵资源网 Design By www.hznty.com
首先,创建一个SQLInjectionHelper类完成恶意代码的检查
代码如下:
复制代码 代码如下:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Text.RegularExpressions;
/// <summary>
///SQLInjectionHelper 的摘要说明
/// </summary>
public class SQLInjectionHelper
{
/// <summary>
/// 获取Post的数据
/// </summary>
/// <param name="request"></param>
/// <returns></returns>
public static bool ValidUrlData(string request)
{
bool result = false;
if (request == "POST")
{
for (int i = 0; i < HttpContext.Current.Request.Form.Count; i++)
{
result = ValidData(HttpContext.Current.Request.Form[i].ToString());
if (result)
{
break;
}
}
}
else
{
for (int i = 0; i < HttpContext.Current.Request.QueryString.Count; i++)
{
result = ValidData(HttpContext.Current.Request.QueryString[i].ToString());
if (result)
{
break;
}
}
}
return result;
}
/// <summary>
/// 验证是否存在注入代码
/// </summary>
/// <param name="inputData"></param>
/// <returns></returns>
private static bool ValidData(string inputData)
{
//验证inputData是否包含恶意集合
if (Regex.IsMatch(inputData, GetRegexString()))
{
return true;
}
else
{
return false;
}
}
/// <summary>
/// 获取正则表达式
/// </summary>
/// <returns></returns>
private static string GetRegexString()
{
//构造SQL的注入关键字符
string[] strChar = { "and", "exec", "insert", "select", "update", "delete", "count", "from", "drop", "asc", "or", "char", "%", ";", ":", "\'", "\"", "-", "chr", "master", "mid", "truncate", "declare", "char", "SiteName", "/add", "xp_cmdshell", "net user", "net localgroup administrators", "exec master.dbo.xp_cmdshell" };
string str_Regex = ".*(";
for (int i = 0; i < strChar.Length - 1; i++)
{
str_Regex += strChar[i] + "|";
}
str_Regex += strChar[strChar.Length - 1] + ").*";
return str_Regex;
}
}
有此类后即可使用Global.asax中的Application_BeginRequest(object sender, EventArgs e)事件来实现表单或者URL提交数据的获取,获取后传给SQLInjectionHelper类ValidUrlData方法来完成检查
代码如下
复制代码 代码如下:
protected void Application_BeginRequest(object sender, EventArgs e)
{
bool result = false;
result = SQLInjectionHelper.ValidUrlData(Request.RequestType.ToUpper());
if (result)
{
Response.Write("您提交的数据有恶意字符");
Response.End();
}
}
下面以一个小程序测试:
创建一个页面,如下
复制代码 代码如下:
<%@ Page Language="C#" AutoEventWireup="true" CodeFile="Default.aspx.cs" Inherits="_Default" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title></title>
</head>
<body>
<form id="form1" runat="server">
<div>
<asp:TextBox ID="TextBox1" runat="server"></asp:TextBox>
<br />
<asp:Button ID="btnPost" runat="server" Text="获取Post数据"
onclick="btnPost_Click" />
</div>
<asp:Button ID="btnGet" runat="server" Text="获取Get数据" onclick="btnGet_Click" />
</form>
</body>
</html>
分别添加单击事件,如下
复制代码 代码如下:
protected void btnPost_Click(object sender, EventArgs e)
{
}
protected void btnGet_Click(object sender, EventArgs e)
{
Response.Redirect("Default.aspx?a=1&b=2&c=3");
}
在文本框中输入非法字符串,无论post请求还是get请求,都会被防SQL注入程序所截获
代码如下:
复制代码 代码如下:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Text.RegularExpressions;
/// <summary>
///SQLInjectionHelper 的摘要说明
/// </summary>
public class SQLInjectionHelper
{
/// <summary>
/// 获取Post的数据
/// </summary>
/// <param name="request"></param>
/// <returns></returns>
public static bool ValidUrlData(string request)
{
bool result = false;
if (request == "POST")
{
for (int i = 0; i < HttpContext.Current.Request.Form.Count; i++)
{
result = ValidData(HttpContext.Current.Request.Form[i].ToString());
if (result)
{
break;
}
}
}
else
{
for (int i = 0; i < HttpContext.Current.Request.QueryString.Count; i++)
{
result = ValidData(HttpContext.Current.Request.QueryString[i].ToString());
if (result)
{
break;
}
}
}
return result;
}
/// <summary>
/// 验证是否存在注入代码
/// </summary>
/// <param name="inputData"></param>
/// <returns></returns>
private static bool ValidData(string inputData)
{
//验证inputData是否包含恶意集合
if (Regex.IsMatch(inputData, GetRegexString()))
{
return true;
}
else
{
return false;
}
}
/// <summary>
/// 获取正则表达式
/// </summary>
/// <returns></returns>
private static string GetRegexString()
{
//构造SQL的注入关键字符
string[] strChar = { "and", "exec", "insert", "select", "update", "delete", "count", "from", "drop", "asc", "or", "char", "%", ";", ":", "\'", "\"", "-", "chr", "master", "mid", "truncate", "declare", "char", "SiteName", "/add", "xp_cmdshell", "net user", "net localgroup administrators", "exec master.dbo.xp_cmdshell" };
string str_Regex = ".*(";
for (int i = 0; i < strChar.Length - 1; i++)
{
str_Regex += strChar[i] + "|";
}
str_Regex += strChar[strChar.Length - 1] + ").*";
return str_Regex;
}
}
有此类后即可使用Global.asax中的Application_BeginRequest(object sender, EventArgs e)事件来实现表单或者URL提交数据的获取,获取后传给SQLInjectionHelper类ValidUrlData方法来完成检查
代码如下
复制代码 代码如下:
protected void Application_BeginRequest(object sender, EventArgs e)
{
bool result = false;
result = SQLInjectionHelper.ValidUrlData(Request.RequestType.ToUpper());
if (result)
{
Response.Write("您提交的数据有恶意字符");
Response.End();
}
}
下面以一个小程序测试:
创建一个页面,如下
复制代码 代码如下:
<%@ Page Language="C#" AutoEventWireup="true" CodeFile="Default.aspx.cs" Inherits="_Default" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title></title>
</head>
<body>
<form id="form1" runat="server">
<div>
<asp:TextBox ID="TextBox1" runat="server"></asp:TextBox>
<br />
<asp:Button ID="btnPost" runat="server" Text="获取Post数据"
onclick="btnPost_Click" />
</div>
<asp:Button ID="btnGet" runat="server" Text="获取Get数据" onclick="btnGet_Click" />
</form>
</body>
</html>
分别添加单击事件,如下
复制代码 代码如下:
protected void btnPost_Click(object sender, EventArgs e)
{
}
protected void btnGet_Click(object sender, EventArgs e)
{
Response.Redirect("Default.aspx?a=1&b=2&c=3");
}
在文本框中输入非法字符串,无论post请求还是get请求,都会被防SQL注入程序所截获
图1 测试防SQL注入程序的页面
图2 错误信息
富贵资源网 Design By www.hznty.com
广告合作:本站广告合作请联系QQ:858582 申请时备注:广告合作(否则不回)
免责声明:本站资源来自互联网收集,仅供用于学习和交流,请遵循相关法律法规,本站一切资源不代表本站立场,如有侵权、后门、不妥请联系本站删除!
免责声明:本站资源来自互联网收集,仅供用于学习和交流,请遵循相关法律法规,本站一切资源不代表本站立场,如有侵权、后门、不妥请联系本站删除!
富贵资源网 Design By www.hznty.com
暂无评论...
稳了!魔兽国服回归的3条重磅消息!官宣时间再确认!
昨天有一位朋友在大神群里分享,自己亚服账号被封号之后居然弹出了国服的封号信息对话框。
这里面让他访问的是一个国服的战网网址,com.cn和后面的zh都非常明白地表明这就是国服战网。
而他在复制这个网址并且进行登录之后,确实是网易的网址,也就是我们熟悉的停服之后国服发布的暴雪游戏产品运营到期开放退款的说明。这是一件比较奇怪的事情,因为以前都没有出现这样的情况,现在突然提示跳转到国服战网的网址,是不是说明了简体中文客户端已经开始进行更新了呢?