在global.asax中防止注入,弄了个过滤函数:
protected void Application_BeginRequest(Object sender, EventArgs e)
{
//遍历Post参数,隐藏域除外
foreach (string i in this.Request.Form)
{
if (i == "__VIEWSTATE") continue;
else
{
this.goErr(this.Request.Form[i].ToString());
}
}
//遍历Get参数。
foreach (string i in this.Request.QueryString)
{
this.goErr(this.Request.QueryString[i].ToString());
}
//cookie参数
if (Request.Cookies != null)
{
for (int i = 0; i < Request.Cookies.Count; i++)
{
this.goErr(Request.Cookies[Request.Cookies.Keys[i]].Value);
}
}
} /// <summary>
///SQL注入过滤
/// </summary>
/// <param name="InText">要过滤的字符串 </param>
/// <returns>如果参数存在不安全字符,则返回true </returns>
public bool SqlFilter(string InText)
{
//Response.Write(InText);
string word = "and|exec|insert|select|delete|update|chr|mid|master| or |truncate|char|declare|join|cmd";//这里加要过滤的SQL字符
if (InText == null)
return false;
foreach (string i in word.Split('|'))
{
if (InText.ToLower().IndexOf(i) > -1)
{
return true;
}
}
return false;
} /// <summary>
/// 校验参数是否存在SQL字符
/// </summary>
/// <param name="tm"> </param>
private void goErr(string tm)
{
if (SqlFilter(tm))
{
Response.Write(" <script>window.alert('参数存在不安全字符');" + " </" + "script>");
System.Web.HttpContext.Current.Response.End();
}
现在的问题是当gridview编辑的时候,post的数据集request.form里面有些正常的参数也含有and,chr什么的关键字。这种如何处理。或者有什么更好的方法防止注入。除了用sqlcommand的参数方式和存储过程。请高人指点
protected void Application_BeginRequest(Object sender, EventArgs e)
{
//遍历Post参数,隐藏域除外
foreach (string i in this.Request.Form)
{
if (i == "__VIEWSTATE") continue;
else
{
this.goErr(this.Request.Form[i].ToString());
}
}
//遍历Get参数。
foreach (string i in this.Request.QueryString)
{
this.goErr(this.Request.QueryString[i].ToString());
}
//cookie参数
if (Request.Cookies != null)
{
for (int i = 0; i < Request.Cookies.Count; i++)
{
this.goErr(Request.Cookies[Request.Cookies.Keys[i]].Value);
}
}
} /// <summary>
///SQL注入过滤
/// </summary>
/// <param name="InText">要过滤的字符串 </param>
/// <returns>如果参数存在不安全字符,则返回true </returns>
public bool SqlFilter(string InText)
{
//Response.Write(InText);
string word = "and|exec|insert|select|delete|update|chr|mid|master| or |truncate|char|declare|join|cmd";//这里加要过滤的SQL字符
if (InText == null)
return false;
foreach (string i in word.Split('|'))
{
if (InText.ToLower().IndexOf(i) > -1)
{
return true;
}
}
return false;
} /// <summary>
/// 校验参数是否存在SQL字符
/// </summary>
/// <param name="tm"> </param>
private void goErr(string tm)
{
if (SqlFilter(tm))
{
Response.Write(" <script>window.alert('参数存在不安全字符');" + " </" + "script>");
System.Web.HttpContext.Current.Response.End();
}
现在的问题是当gridview编辑的时候,post的数据集request.form里面有些正常的参数也含有and,chr什么的关键字。这种如何处理。或者有什么更好的方法防止注入。除了用sqlcommand的参数方式和存储过程。请高人指点
解决方案 »
- asp.net页面传值小问题
- 关于缓存的问题,我快疯掉了
- 如何用RegularExpressionValidator防止SQL注入?
- 关于treeview!高手进
- 上传问题!
- 如何使用MessageBox控件
- 在代码中加入Response.Write("<script language='JavaScript'>alert('登录密码错!')</script>");
- 一个关于页面刷新的问题!(急!)
- 如果获得的Json字符串中的Key名称与自定义的属性名字不同,怎样反序列化这个json串
- 如何用ASP.NET 开发一个网站,在布局上,是否要用其他工具来辅助,如dw
- 键盘触发调用本地的一个文件
- 我的触发器为什么不触发呢?特别简单
{__EVENTTARGET=GridView2&__EVENTARGUMENT=Edit%2413&__VIEWSTATE=yzAXFLJcSGfhfcTIUKbQWMZ8zeLDnVYe7%2bPwZy3bGZsqKT0PD%2faV9NAiOQTkv6e%2b1lIjvJgSQE4aEvzBVtmEZbbV9zZ0UnVveVSW%2b6ZcyORnX00PCgnKm8PD1n4rhIv85eJAQL9ed5ttydb7ShFJFOl7kkFEE5rRNhVwUAPDsGC%2boCcKo6z8YSVbD1evt66JioixvgeZHGvl4RHDGSz%2bRK4Q2P6ho03EgLjnWXV0tVIg9VmTb0PWhi%2fjfuI53F8F1cVZnBi422Ap3ocAlyg%2bR0Rq%2fXD8N5h0kLHgnUA7q5ZSdGbSkEwiNopNtYNZLn5rGBTZdTNgnpj9%2f2WrGgFIdj%2ftPPO50104TTu54oV%2fuPjZ5wChn%2b1m0bMPRe9nV1s02Mmae%2b6C5fZEeeV394HXNH8bJFh28ePQR1UoqkhuiSxe39IQ%2b4BmsfOP8QIGvj%2fGvLSRDjdXageBsZqxfl2rtdrIhKoVbAGRj1u0LNex4fq9zf7S6DscJ3fFQvqnoVjU4Ao%2bH1fTCrDC9s7JEzqNBxJCvSxXQQzjn3NdPkddNYYmuQF0MUibuzrifCKCIzZqEy9ZTbmHtW4tEVKsNzlwE4hRRIbJCkVJmDiRxhhqHhhZUSGxy71f%2b4dBScwXl0z2xntDXpNEgjTeLV8ZP33K%2fxeTfgMmEgI09k5WWnQ8diPDoeqOMFP24kvmsJAuznr3sIoP1L7ZOCyprT1paH8hz6kiLPVoiBVqiPNV6k%2be5HdMj%2fFah%2bQNsciGouR5SOUnQLearZYJXfgcriEox78Yltfb6N1PkoacZfTddtBlxzjZ5i6%2fxPcEqX2HNks%2b04Zf3hlz2NoYQndVydXDKcOs7FzSoNJOjLDIHKyCbLneYG19tZykjhLK01THoV6NavB7f1NWryLbDtQtOo2%2fLLpAR7xE1dKakXTEVTiWMKuS3FMFNHd4q22Je5i%2b%2fwO1Qk7DFwOSjgs2vmKa7aMTJwnEuRhT%2flv1YIgJjhsyfBYoeccExhSQQasI%2fASPVrgT%2fegkxeJjJVWr9SzCqYYTfMUCmTXBygYLxf%2fViPEPwe1p%2bs89vDB6k%2fuLaJsIewTrETu%2fh7KW8Br3os8YIe1A27uCpNJMN4K5HfekDohoY0ZjUDDeIAx2OfUlxf9cKqwThmwei1PgBISxliwwk27S%2fsfH8G3niGnOqjBARoWP51O0ejFhBieWNP0T%2fnx5I96Xwq2SyH78aKp%2fRMizSFYaZpLrXIRejwclaU7gki0XIc3JK8msknCm7%2fkMU05nZeR4HVUlo6tOYUmTsjAx3DFNHhUvhQqQqjln66mVh5hytxQCPbdQN64L3pn%2bWgeYHHXba%2b19hQ9nMIs1zVo244rQ9T71nRqxeyfhLy54P1gOy7lY%2f%2bIgARLyOqqhJ3KDPxgufb%2bQJoxBEFYoldtzlVgWmV95Vp6BLIX%2boTPQY6%2bS41cibYBEVfkZfa6yydPIPpt7HcN145PCQbRPNUq3yBesRXY8IQG58nVeZ%2b3CJEQxPVfMTCRWJ0BPV%2fMreR24RmhMsL7J2ogHjFENVyxqYDp1pR8SV34OfmBGeV2C8y%2fSUQa6YXpRx52fql%2fNwZLIJE7lPCS9bx5aIm9ZSnHvbDwhRG9bzkm87Qfda8VjvzTa7iN2m9GU2J6AaeGkcbvi09yU9v4MCVteue0rpVJvN3g8TRQFgbjCRRq1NKBnrgwvxTjeKKpxPJUW4ZcC0fm0ovFRS%2fcnfjAUFC3cZtMsXAAS9xSKzYEKV6rC%2fcpJ80yXTOkUtJgYuUEowBKnutaM3pk0USp34WiilPiupC%2bcPjHHw%2fx5Fh2N6YzQx2GEkGfjwFFp%2fCCR9stA8sJfRaPnRHKYNqtwmLbGLb2SR%2fV91OBVHrzokH%2fMwInVsL2ZCOpPAbPtRt1BbMnAOXBq9knUaV19zxLUTMaUL8VSwRY10zlP4UaLV3wri%2fOYodPJJYFvf9CjlOySsNhJUz0T1T2jFIYYyIeS11ObgPJGUCavX%2b8pY5Sf70Zahya7GJNSkgCvI21cAecaAnN8WsIoDnTZdyP8e8v0RFAsBmH%2bti%2fSA6MLJn%2fI40xYwyt5oTpAgcuQ7hb2oErdGXKoG0jH7tCQ%2fd8njlLMa1FdCSNx7YuKBijezZeoqzPll%2fobAyOuOeEEjvfFKa0Ni0hDWnA7ExDt2A6RQIUfmbEEugYx3ZNHKBTtdF2Z%2b6sR1wzWeZBHrV3NFYHZAJxj3BhKuormKc5OcHfkrYkhQ5xJXnzJFbOBe5fmNSpEj3FnwUGKuXPahP4LOfSmh3KCfvqusTw4YgQuc5sSHjWUhGytforHTk7t9ldC04uJD%2bf%2f0x0I8%2fK%2fI1I27IGnPy%2bnYMwpAJRtb2ROdP5t3jVhyIsr9aZb2wg%2b%2bZrnTYAfohfcRTG5MAvjLQILeNLgvFO1V9%2b8BjaXygbX%2fgQT3hE9qF9R8GtnHPIEUS4yg%2bWd1TJVqgzgSg4PNAJTfwPV9u4OOZRCzGd91CrZwwsuqjzc5JFw97opj%2fVZzEQg0cHaOOYLPd7rqEvGHL1OnfHCleB3WJv01NhSk48HxXvW9JLQc%2fL8HsL%2fUMhT%2bIO5ynNNdM1VV1aOfkm%2f1nB%2bnOMYSsUPpuQG%2foxUFjj2xnak8EOMdAU5M8w8swu7AiFEkq6YZ8US%2fYa%2ba2k6n5lskd8jqqQ6Zwscf9pwIiY88GG%2f2epnM%2bGeHjfypCNOQtZ0zYDpgVMROYk8I4BtHs4meBF2%2beOaqkjQK0%2buGBkZMPiSp68wRECwhz4M3sl7CfzjRQsGhJXlWIm3nQkkd1UWMVkKgJWoKUW4s9bw7n8fWOTriui7X7QI4arVa587dExu06OxVCLVW2l4Hjl6JeXkb9LuNsSv%2bWRgBef70fC45atvVXSTijlcqQgRfNn3p9jcyt78dcofl%2fe6s%2bBYFnJAl3f1h5fwCdvwih9j90SExIckt1oShwvGfQMCiNNwuLd%2bHQTJuXlXvJTJSO65d5Hm%2fLFq7CtV5gDrAAWMwr%2bEG%2fYmAJMMBon0hnZcJwbMh0gj1if%2f9ZYbzj7evt6xW1rcUaDem7TW2UiZW11z9FBmpjMxE4bMxnA2xa4EOCMBfhDcQwkcGzaw4NXO3vf4KA6kHGuEY0VvO56sSHqQRH7QUhd%2f5Y190TKX4i7NXup3C%2bWHz11%2f0%2fHMvZCQ6Ftlo2sb3BG9SZuomcPQjXNozKGDaRHoH0UpMal5wK5T3wa6vMTWQl0ldCqt679SAr8c%2fOWqT43zDkOfuzROCfD5%2fjuLwi2Z99uJ1dhBDBekqr4w96S4VVPJDPPQw%2fp8WxXPwwXt7Wbwz8HpEQbDcRfLwSCq5CNf8dufsXrZ%2bYBg%2f6h54v9bjIwe1W6Spncl%2bLRWr89s%2b0SaYi%2bbzytlgGg1DTF94QeAHmFSorjmfvp93WJ6Fa%2bkGMWpzNyrHYFklKrZZnxge8JEXysXj0bP54uHMDDko08L4s5E%2by88Ak3npPe8%2ft4FCXo9nieyk%2fG1aSHDD0vWsX1fRRjmhyV7CiE5gJyaj%2b%2bg%2fwI1NqZ1%2fTekLMssD52%2bIc%2fJilN8rHIYwZSoIyTKu0GjSBd%2beefIWByqsdAEKxW8BcaYiWsI65cEvB8zcLTXdcuNMuUMQgSdSzPwBBY1Zgl65N5b8By2YSrfgvwA0A4kyfZxStFh%2bxI6yN7UuDB19Ki0pFNEFvvBN3b7h4RYEp4%2fM%2bg2bGkRrS64Au0SV96J2%2fb%2fkEOhz%2fbhj8flg3bO0Bms%2fFlDdHoqRhAf4ova8rWQxrUvhgwAg8Dkp44iuTHcsOBEVArUiqBh1qewsLMY5qbeTsi5XjUxc%2fwbXaLxWQyoC5qNTsVHyfOVIWvYCT0SokLUu%2fik1VWvznyvcMjtW5a3%2fC%2fXslSTGWqkPXsH803thCvo0WNYxBISEv0iwu%2bQzYTSbPRz5JZ9zIkIroSGdfCL84qcacAEamFSL4yn5tJzh1lQTfcPhheYNnHy0qmaQC%2bos4DS2YjLJ%2bT9Ata7ZChu9Nn0a3tcI34ejm7dj7rGuRKuA76tZUQ%2b8YGRNir%2fuJ9nt6Hj00HQGqgWQB4JIFMycWlyXrwa2%2fHwpM3%2brkcQStuc9sVlcf67iopdGhcMtf5T2XkRhjp5orVUWDNLJB%2fhBsRt2IBizHAnoh0VqhJoCqExFQ6lxx%2fm0yj6KaBqK9DWmQbWozPp29vbrU%2bpyhlDzy73KzP%2b87gIRm5EtrIXVHhDZVK8gYvrxwVLHXfQbE7H999pxNgqFLSfisKG4cm%2bTu7i4PMmABjeWE0BFYPxyRbSN03KCrP7bVZRpaKtdiUPNEozYgWfPiTgCri5cFChweCP%2b0lPyNsaUCjUOHnhrO%2bgdm0sSqxvqGQbRE%2fj%2bI5fmv36uAvtfES6k9O9A184s60a27HH2gQ%2fvX0pAKrk0b9RUhLlCcZWhuaWOVsBJObu7qfbLp%2frLLLMTIqrocZ66bvWRX9GIPX5rMlb007%2fkQJQcLt2QP2NP81QZV2yzbjk7mP52YEU4jup8P3Bb7XSfTL9O87HW77FLScse381vXuRNm5B88DZZl6rwn9RYYVxqJQ3DiL44T7TnM6E5gVOJ540t2%2bAZrcVpcZ6cKwq%2bgTO1ChbBIXU52mwRbg4h3ztYOjJomAL5R0UeCxL%2fgO17e9%2fuc%2fMsHg14OcYi0daFIg%3d&GridView2%24ctl14%24ctl01=admin&GridView2%24ctl14%24ctl02=%u5b66%u4e60%u4ea4%u6d41&GridView2%24ctl14%24ctl03=2009-9-11+13%3a02%3a27&txttitle=&DropDownList1=%u516c%u53f8%u52a8%u6001&txtmessage=&__VIEWSTATEENCRYPTED=&__EVENTVALIDATION=PzIxRwZ7OgjqYHfbIsBBwMYIJXBp10lrfWdc2nB%2beGSA58d1bLBKTs8XGL%2fg5VNyWzRnGtV1xq5nH%2fi5D7Cd9nfacVppjaoL9GmFy6cqKmu2MmPwdgz0QH6%2fqdCrVUJk7SUNqBIRe0GfxPgfBuIlANdxB0zesbe5ccx4NJkY7YAiPimooOIG%2bkK%2fDv1oSHv8DpW0VrQJpv7W%2fHlpBcudkZupomzuS8kQUW7g9V1xJREXDqDmULLESaFuqXV5J7LTBrXd2Mm1rU6dim%2bkkXgNZA%3d%3d}
可以参考FortuneBase
www.cnblogs.com/mail-ricklee
new SqlParameter("@BName", SqlDbType.VarChar,20),
new SqlParameter("@PassWord", SqlDbType.VarChar,50),
new SqlParameter("@EMail", SqlDbType.VarChar,30),
new SqlParameter("@State", SqlDbType.Int,4)};
parameters[0].Value = model.BName;
parameters[1].Value = model.PassWord;
parameters[2].Value = model.Email;
parameters[3].Direction = ParameterDirection.Output;
DbHelperSQL.RunProcedure("BHL_BUser_GetPW", parameters);
return Int32.Parse(parameters[3].Value.ToString());