学步园

using System.Web;
 2 using System.Configuration;
 3 
 4 namespace Moosoft.OA.HttpModule
 5 {
 6     /// <summary>
 7     /// SQL注入攻击防御类
 8     /// </summary>
 9     public class ProcessRequest
10     {
11         /// <summary>
12         /// 构造函数
13         /// </summary>
14         public ProcessRequest()
15         {
16             //
17             // TODO: 在此处添加构造函数逻辑
18             //
19         }
20 
21         #region SQL注入式攻击代码分析
22 
23         /// <summary>
24         /// 处理用户提交的请求
25         /// </summary>
26         public void StartProcessRequest()
27         {
28             try
29             {
30                 string getkeys = "";
31                 string sqlErrorPage = ConfigurationManager.AppSettings["CustomErrorPage"].ToString();
32                 if (HttpContext.Current.Request.QueryString != null)
33                 {
34 
35                     for (int i = 0; i < HttpContext.Current.Request.QueryString.Count; i++)
36                     {
37                         getkeys = HttpContext.Current.Request.QueryString.Keys[i];
38                         if (!ProcessSqlStr(HttpContext.Current.Request.QueryString[getkeys]))
39                         {
40                             HttpContext.Current.Response.Redirect(sqlErrorPage + "?errmsg=sqlserver&sqlprocess=true");
41                             HttpContext.Current.Response.End();
42                         }
43                     }
44                 }
45                 if (HttpContext.Current.Request.Form != null)
46                 {
47                     for (int i = 0; i < HttpContext.Current.Request.Form.Count; i++)
48                     {
49                         getkeys = HttpContext.Current.Request.Form.Keys[i];
50                         if (!ProcessSqlStr(HttpContext.Current.Request.Form[getkeys]))
51                         {
52                             HttpContext.Current.Response.Redirect(sqlErrorPage + "?errmsg=sqlserver&sqlprocess=true");
53                             HttpContext.Current.Response.End();
54                         }
55                     }
56                 }
57             }
58             catch
59             {
60                 // 错误处理: 处理用户提交信息!
61             }
62         }
63         /// <summary>
64         /// 分析用户请求是否正常
65         /// </summary>
66         /// <param name="Str">传入用户提交数据</param>
67         /// <returns>返回是否含有SQL注入式攻击代码</returns>
68         private bool ProcessSqlStr(string Str)
69         {
70             bool ReturnValue = true;
71             try
72             {
73                 if (Str != "")
74                 {
75                     string SqlStr = "and |exec |insert |select |delete |update |count | * |chr |mid |master |truncate |char |declare ";
76                     string[] anySqlStr = SqlStr.Split('|');
77                     foreach (string ss in anySqlStr)
78                     {
79                         if (Str.ToLower().IndexOf(ss) >= 0)
80                         {
81                             ReturnValue = false;
82                         }
83                     }
84                 }
85             }
86             catch
87             {
88                 ReturnValue = false;
89             }
90             return ReturnValue;
91         }
92         #endregion
93 
94     }
95 }
96 // ConfigurationSettings.AppSettings["CustomErrorPage"].ToString(); 这个为用户自定义错误页面提示地址,
97 //在Web.Config文件时里面添加一个 CustomErrorPage 即可
98 //<!-- 防止SQL数据库注入攻击的出错页面自定义地址 -->
99 //<add key="CustomErrorPage" value="../Error.html" />