首页 诗词 字典 板报 句子 名言 友答 励志 学校 网站地图
当前位置: 首页 > 教程频道 > .NET > .NET Framework >

ASP.NET 怎么防注入

2011-12-23 
ASP.NET 如何防注入ASP.NET 如何防注入有人说建个全局类,我自己用替换字符串的型式被注入了!最好提供些代

ASP.NET 如何防注入
ASP.NET 如何防注入 有人说建个全局类,我自己用替换字符串的型式被注入了!最好提供些代码出来用。帮我解决问题给多20分也没关系!或加我QQ:547789678

[解决办法]
http://hi.baidu.com/simliving/blog/item/df62172441eade32c995597b.html
看看这个是不是管用
[解决办法]

C# code
using System;using System.Collections.Generic;using System.Text;using System.Web;namespace ProcessSqlInjection{    public class SqlFilterHttpModule : IHttpModule    {        HttpApplication app = null;        string[] blacklist = { "and", "exec", "insert", "select", "delete", "update", "chr", "mid", "master", "or", "truncate", "char", "declare", "join", "cmd" };        #region IHttpModule Members        public void Dispose()        {                   }        public void Init(HttpApplication context)        {            context.BeginRequest += new EventHandler(context_BeginRequest);        }        #endregion        void context_BeginRequest(object sender, EventArgs e)        {            app = sender as HttpApplication;            ProcessSqlInjection();        }        void ProcessSqlInjection()        {            HttpRequest request = app.Context.Request;            foreach (string i in request.Form)            {                if (i == "__VIEWSTATE" || i=="__EVENTVALIDATION") continue;                goErr(request.Form[i]);            }            foreach (string i in request.QueryString)            {                goErr(request.QueryString[i]);            }            foreach (string i in request.Cookies)            {                goErr(request.Cookies[i].Value);            }        }        /// <summary>         ///Sql Injection Filter        /// </summary>         /// <param name="InText">To filter the string</param>         /// <returns>If the parameters of the existence of unsafe characters return true.</returns>         public bool SqlFilter(string inText)        {            foreach (string i in blacklist)                if (inText.IndexOf(i + " ", StringComparison.OrdinalIgnoreCase) > -1)                    return true;            return false;        }        /// <summary>         /// Check parameters of the existence of SQL characters        /// </summary>         /// <param name="tm"> </param>         void goErr(string tm)        {            if (SqlFilter(tm))            {                HttpResponse response = app.Context.Response;                throw new ArgumentException("You enter the wrong data parameters!");            }        }    }}
[解决办法]
void Application_BeginRequest(Object sender, EventArgs e)
{
StartProcessRequest();

}

#region 
private void StartProcessRequest()
{
try
{
string getkeys = "";
string sqlErrorPage = "index.aspx";
if (System.Web.HttpContext.Current.Request.QueryString != null)
{

for (int i = 0; i < System.Web.HttpContext.Current.Request.QueryString.Count; i++)
{
getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys[i];
if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys]))
{
System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);
System.Web.HttpContext.Current.Response.End();
}
}


}
if (System.Web.HttpContext.Current.Request.Form != null)
{
for (int i = 0; i < System.Web.HttpContext.Current.Request.Form.Count; i++)
{
getkeys = System.Web.HttpContext.Current.Request.Form.Keys[i];
if (getkeys == "__VIEWSTATE") continue;
if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys]))
{
System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);
System.Web.HttpContext.Current.Response.End();
}
}
}
}
catch
{
// 错误处理: 处理用户提交信息!
}
}
private bool ProcessSqlStr(string Str)
{
bool ReturnValue = true;
try
{
if (Str.Trim() != "")
{
string SqlStr = "exec¦insert¦select¦delete¦master¦update¦truncate¦declare";
string[] anySqlStr = SqlStr.Split('¦');
foreach (string ss in anySqlStr)
{
if(!Str.ToLower().Contains("updatepanel"))
{
if (Str.ToLower().IndexOf(ss) >= 0)
{
ReturnValue = false;
break;
}
}
}
}
}
catch
{
ReturnValue = false;
}
return ReturnValue;
}
#endregion 
http://www.cnblogs.com/wj110reg/articles/952840.html
[解决办法]
-------------------------------有哪么麻烦吗? 如果是SQL注入,那你就直接用这种方式--------------------
string sql = "insert into TableName(ColumnName1,ColumnName2) values(@ColumnValue1[/color[color=#FF0000]],@ColumnValue2)
SqlParameter[] para = new SqlParameter[] {
new SqlParameter("@ColumnValue1", value1),
new SqlParameter("@ColumnValue2", value2),
};

[解决办法]
public static SqlDataReader ExecuteDataReader(string strSql,SqlParameter[] sqlPar)
{
SqlCommand sqlCommand = new SqlCommand(strSql, SqlCon);
if (sqlPar != null)
sqlCommand.Parameters.AddRange(sqlPar);
return sqlCommand.ExecuteReader(CommandBehavior.CloseConnection);
}

string strSql = "SELECT * FROM Logins WHERE loginId = @loginId AND loginPwd=@pwd";

SqlParameter[] sqlPar =
{
new SqlParameter("@loginId",userName),
new SqlParameter("@pwd",userPwd)
};

SqlDataReader sdr = DBHelper.ExecuteDataReader(strSql,sqlPar);
if (sdr.Read())
{
Login login = new Login();
login.LoginID = Convert.ToString(sdr["loginID"]);
login.LoginPwd = Convert.ToString(sdr["loginPwd"]);
sdr.Close();
return login;
}
else
{
sdr.Close(); //关闭reader对象
return null;
}

[解决办法]
提供一个方法

C# code
/// <summary>        /// 字符过滤编码函数,在实际编程中,建议过滤后还应该使用参数构造sql语句        /// </summary>        /// <param name="value">输入字符串</param>        /// <returns></returns>        public static string StringEnCode(string value)        {            if (value.Trim().Length == 0)                return string.Empty;            value = value.Replace(((char)44).ToString(), "&#59;");//;            value = value.Replace(((char)10).ToString(), "<br>");//br            value = value.Replace(((char)32).ToString(), "&#32;");//空格            value = value.Replace(((char)37).ToString(), "&#37;");//%            value = value.Replace(((char)39).ToString(), "&#39;");//'            value = value.Replace(((char)44).ToString(), "&#44;");//,            value = value.Replace(((char)60).ToString(), "&#60;");//<            value = value.Replace(((char)62).ToString(), "&#62;");//>            value = value.Replace(((char)92).ToString(), "&#92;");//\\            value = value.Replace(((char)94).ToString(), "&#94;");//^            value = value.Replace(((char)45).ToString() + ((char)45).ToString(), "&#45;&#45;");//--            value = Regex.Replace(value, "<a href=", "<a target=_blank href=", RegexOptions.Compiled | RegexOptions.IgnoreCase);            Regex regex = new Regex("<a href=", RegexOptions.Compiled | RegexOptions.IgnoreCase);            value = regex.Replace(value, "<a target=_blank href=");            return value;        } 

热点排行