首页 > 代码库 > aspx 中防止sql注入

aspx 中防止sql注入

public class SqlInject:Page    {        //检测到注入后的处理方式: 0:仅警告;1:警告+记录;2:警告+自定义错误页面;3:警告+记录+自定义错误页面          private const int _type = 0;        private const string errRedirectPage = "/err.aspx";        //如果记录注入信息,那么请设置:errMDBpath:数据库路径          private const string errMDBpath = "/SqlInject.mdb";        //过滤特征字符          //过滤特征字符          private static string StrKeyWord = ConfigurationManager.AppSettings["SqlKeyWord"]; //@"select|insert|delete|from|count(|drop table|update|truncate|asc(|mid(|char(|xp_cmdshell|exec|master|net local group administrators|net user|or|and";          private static string StrRegex = ConfigurationManager.AppSettings["SqlRegex"];  //@";|/|(|)|[|]|{|}|%|@|*|‘|!"; // 原始过滤条件:【-|;|,|/|(|)|[|]|{|}|%|@|*|‘|!】          private HttpRequest request;        public SqlInject(System.Web.HttpRequest _request)        {            this.request = _request;        }        ///<summary>          ///检测SQL注入及记录、显示出错信息          ///</summary>          public void CheckSqlInject()        {            bool isInject = false;            if (CheckRequestQuery() || CheckRequestForm())            {                isInject = true;            }            else            {                return;            }            switch (_type)            {                case 0:                    ShowErr();                    break;                case 1:                    ShowErr();                    SaveToMdb();                    break;                case 2:                    ShowErr();                    string temp;                    System.Web.HttpContext.Current.Response.Write("<script>setTimeout(\"" + "location.href=http://www.mamicode.com/‘" + errRedirectPage + "" + "\",5000)</script>");                    break;                case 3:                    ShowErr();                    SaveToMdb();                    System.Web.HttpContext.Current.Response.Write("<script>setTimeout(\"" + "location.href=http://www.mamicode.com/‘" + errRedirectPage + "" + "\",5000)</script>");                    break;                default:                    break;            }            System.Web.HttpContext.Current.Response.End();        }        private void SaveToMdb()        {            OleDbConnection conn = new OleDbConnection("Provider=Microsoft.JET.OLEDB.4.0;Data Source=" + Server.MapPath(errMDBpath));            conn.Open();            OleDbCommand cmd = conn.CreateCommand();            cmd.CommandText = "insert into [Record] (sIP,sDate,sPath) values (‘" +                 request.ServerVariables["REMOTE_ADDR"].ToString() + "‘,‘" +                 DateTime.Now + "‘,‘" + request.ServerVariables["URL"].ToLower() + RelaceSingleQuotes(request.QueryString.ToString()) + "‘)";            int code = cmd.ExecuteNonQuery();            if (code == 1)                HttpContext.Current.Response.Write("<br>****以上信息已记录至日志数据库****");            else                HttpContext.Current.Response.Write("<br>日志数据库出错");            conn.Close();        }        private string RelaceSingleQuotes(string _url)        {            string URL = _url.Replace("", "单引号");            return URL;        }        private void ShowErr()        {            //string msg = @"<font color=red>请不要尝试未授权之入侵检测!</font>" + @"<br><br>";              //msg += @"操作IP:" + request.ServerVariables["REMOTE_ADDR"] + @"<br>";              //msg += @"操作时间:" + DateTime.Now + @"<br>";              //msg += @"页面:" + request.ServerVariables["URL"].ToLower() + request.QueryString.ToString() + @"<br>";              //msg += @"<a href=‘#‘ onclick=‘javascript:window.close()‘>关闭</a>";              //System.Web.HttpContext.Current.Response.Clear();              //System.Web.HttpContext.Current.Response.Write(msg);              HttpContext.Current.Response.Write("<script>alert(‘请不要尝试未授权之入侵检测!‘);javascript:history.go(-1);</script>");        }        ///<summary>          /// 特征字符          ///</summary>          public static string KeyWord        {            get            {                return StrKeyWord;            }        }        ///<summary>          /// 特征符号          ///</summary>          public static string RegexString        {            get            {                return StrRegex;            }        }        ///<summary>          ///检查字符串中是否包含Sql注入关键字          /// <param name="_key">被检查的字符串</param>          /// <returns>如果包含注入true;否则返回false</returns>          ///</summary>          private static bool CheckKeyWord(string _key)        {            string[] pattenString = StrKeyWord.Split(|);            string[] pattenRegex = StrRegex.Split(|);            foreach (string sqlParam in pattenString)            {                if (_key.Contains(sqlParam + " ") || _key.Contains(" " + sqlParam))                {                    return true;                }            }            foreach (string sqlParam in pattenRegex)            {                if (_key.Contains(sqlParam))                {                    return true;                }            }            return false;        }        ///<summary>          ///检查URL中是否包含Sql注入          /// <param name="_request">当前HttpRequest对象</param>          /// <returns>如果包含注入true;否则返回false</returns>          ///</summary>          public bool CheckRequestQuery()        {            if (request.QueryString.Count > 0)            {                foreach (string sqlParam in this.request.QueryString)                {                    if (sqlParam == "__VIEWSTATE") continue;                    if (sqlParam == "__EVENTVALIDATION") continue;                    if (CheckKeyWord(request.QueryString[sqlParam].ToLower()))                    {                        return true;                    }                }            }            return false;        }        ///<summary>          ///检查提交的表单中是否包含Sql注入          /// <param name="_request">当前HttpRequest对象</param>          /// <returns>如果包含注入true;否则返回false</returns>          ///</summary>          public bool CheckRequestForm()        {            if (request.Form.Count > 0)            {                foreach (string sqlParam in this.request.Form)                {                    if (sqlParam == "__VIEWSTATE") continue;                    if (sqlParam == "__EVENTVALIDATION") continue;                    if (CheckKeyWord(request.Form[sqlParam]))                    {                        return true;                    }                }            }            return false;        }      }}
View Code

在web编程中都有被sql注入的风险,要防止sql注入,最基本就是从编写代码的时候开始防护

 

在web.config中加入

 <appSettings>    <add key="SqlKeyWord" value=http://www.mamicode.com/"select|insert|delete|from|count(|drop table|update|truncate|asc(|mid(|char(|xp_cmdshell|exec|master|net local group administrators|net user|or|and"/>    <add key="SqlRegex" value=http://www.mamicode.com/";|(|)|[|]|{|}|%|@|*|‘|!"/>  </appSettings>

然后在Global文件中加入

void Application_BeginRequest(object sender, EventArgs e)        {            //防SQL注入代码               SqlInject myCheck = new SqlInject(this.Request);            myCheck.CheckSqlInject();          }

对于软件方面的防护,微软官方给了一个UrlScan的工具

urlScanx86

urlScanx64

安装完软件后要重启一下iis才能生效

转载自 http://netsecurity.51cto.com/art/201301/375797_1.htm