防注问题

<%@ Page language="c#" Codebehind="demo_index.aspx.cs" AutoEventWireup="false" Inherits="XXXXPages.webpage.demo_index" %>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
<HEAD>
<title>XXXXXXX XXXXX－XXXXX </title>
<meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
<meta content="C#" name="CODE_LANGUAGE">
<meta content="JavaScript" name="vs_defaultClientScript">
<meta content="http://schemas.microsoft.com/intellisense/ie5" name="vs_targetSchema">
<meta content="XXXXXXXXXXXXXX" name="description">
<meta content="XXXX" name="keywords">
<LINK href="../img/column.css" type="text/css" rel="stylesheet">
<script type="text/javascript">
        function ShowCwPage(val) {
            document.showCw.FileName.value=val;
            document.showCw.submit();

        }
        function ShowExPage(val)
        {
          document.showEx.ExmId.value=val;
          document.showEx.submit();

        }
</script>
</HEAD>
<body leftMargin="0" topMargin="0" MS_POSITIONING="GridLayout">
<form id="Form1" method="post" runat="server">
<table cellSpacing="0" cellPadding="0" width="558" border="0">
<tr height="28">
<td width="10" background="../webimg/demo_vline_lefttop.gif"> </td>
<td width="265" background="../webimg/demo_Course.gif"> </td>
<td width="8"> </td>
<td width="265" background="../webimg/demo_Examdoc.gif"> </td>
<td width="10" background="../webimg/demo_vline_righttop.gif"> </td>
</tr>
<tr>
<td width="10" background="../webimg/demo_vline_left.gif"> </td>
<td width="538" colSpan="3" height="300">
<table cellSpacing="0" cellPadding="0" width="538" border="0">
<tr height="122">
<td vAlign="middle" align="center" width="265"> <asp:datagrid id="dgCourse" runat="server" ShowHeader="False" AutoGenerateColumns="False" CellPadding="0"
BorderWidth="0px" Width="250px" PageSize="5" GridLines="None" HeaderStyle-Height="15" AllowPaging="True">
<ItemStyle HorizontalAlign="Left" Height="20px" CssClass="lg" VerticalAlign="Middle"> </ItemStyle>
<HeaderStyle Height="15px"> </HeaderStyle>
<Columns>
<asp:BoundColumn Visible="False" DataField="FileName"> </asp:BoundColumn>
<asp:BoundColumn DataField="Grade">
<ItemStyle Width="25px" CssClass="webt2"> </ItemStyle>
</asp:BoundColumn>
<asp:BoundColumn DataField="Subject">
<ItemStyle Width="30px" CssClass="webt2"> </ItemStyle>
</asp:BoundColumn>
<asp:TemplateColumn>
<ItemTemplate>
<a href="javascript:void(0);" class="org" onclick=' <%# "ShowCwPage(\""+DataBinder.Eval(Container,"DataItem.FileName").ToString()+"\")"%>'>
<%# DataBinder.Eval(Container, "DataItem.CoswName").ToString().Trim().Length>15 ? DataBinder.Eval(Container, "DataItem.CoswName").ToString().Trim().Substring(0,15)+"..." : DataBinder.Eval(Container, "DataItem.CoswName").ToString().Trim() %>
</a>
</ItemTemplate>
</asp:TemplateColumn>
</Columns>
<PagerStyle Visible="False"> </PagerStyle>
</asp:datagrid>
<table cellSpacing="0" cellPadding="0" width="250" border="0">
<tr>
<td align="right"> <asp:label id="lbMoreCource" runat="server">更多>> </asp:label> </td>
</tr>
</table>
</td>
<td width="8"> </td>
<td vAlign="middle" align="center" width="265"> <asp:datagrid id="dgExamdoc" runat="server" ShowHeader="False" AutoGenerateColumns="False" CellPadding="0"
BorderWidth="0px" Width="250px" PageSize="5" GridLines="None" HeaderStyle-Height="15" AllowPaging="True">
<ItemStyle HorizontalAlign="Left" Height="20px" CssClass="lg" VerticalAlign="Middle"> </ItemStyle>
<HeaderStyle Height="15px"> </HeaderStyle>
<Columns>
<asp:BoundColumn Visible="False" DataField="ExmId"> </asp:BoundColumn>
<asp:BoundColumn DataField="GName">
<ItemStyle Width="25px" CssClass="webt2"> </ItemStyle>
</asp:BoundColumn>
<asp:BoundColumn DataField="SName">
<ItemStyle Width="30px" CssClass="webt2"> </ItemStyle>
</asp:BoundColumn>
<asp:TemplateColumn>
<ItemTemplate>
<a href="javascript:void(0);" class="org" onclick=' <%# "ShowExPage(\""+DataBinder.Eval(Container,"DataItem.ExmId").ToString()+"\")"%>'>
<%# DataBinder.Eval(Container, "DataItem.ExmName").ToString().Trim().Length>15 ? DataBinder.Eval(Container, "DataItem.ExmName").ToString().Trim().Substring(0,15)+"..." : DataBinder.Eval(Container, "DataItem.ExmName").ToString().Trim()  %>
</a>
</ItemTemplate>
</asp:TemplateColumn>
</Columns>
<PagerStyle Visible="False"> </PagerStyle>
</asp:datagrid>
<table cellSpacing="0" cellPadding="0" width="250" border="0">
<tr>
<td align="right"> <asp:label id="lbMoreExamDoc" runat="server">更多>> </asp:label> </td>

解决方案 »

免费领取超大流量手机卡，每月29元包185G流量+100分钟通话, 中国电信官方发货

align="right"> <asp:label id="lbMoreExamDoc" runat="server">更多>> </asp:label> </td>
</tr>
</table>
</td>
</tr>
<tr height="28">
<td width="265" background="../webimg/demo_Test.gif"> </td>
<td width="8"> </td>
<td width="265" background="../webimg/demo_DQues.gif"> </td>
</tr>
<tr height="122">
<td vAlign="middle" align="center" width="265"> <asp:datagrid id="dgTest" runat="server" ShowHeader="False" AutoGenerateColumns="False" CellPadding="0"
BorderWidth="0px" Width="250" PageSize="5" GridLines="None" HeaderStyle-Height="15" AllowPaging="True">
<ItemStyle HorizontalAlign="Left" Height="20px" CssClass="lg" VerticalAlign="Middle"> </ItemStyle>
<Columns>
<asp:BoundColumn DataField="GName">
<ItemStyle Width="25px" CssClass="webt2"> </ItemStyle>
</asp:BoundColumn>
<asp:BoundColumn DataField="SName">
<ItemStyle Width="30px" CssClass="webt2"> </ItemStyle>
</asp:BoundColumn>
<asp:TemplateColumn>
<ItemTemplate>
<asp:HyperLink runat="server" CssClass=org Text=' <%# DataBinder.Eval(Container, "DataItem.TestName").ToString().Trim().Length>15 ? DataBinder.Eval(Container, "DataItem.TestName").ToString().Trim().Substring(0,15)+"..." : DataBinder.Eval(Container, "DataItem.TestName").ToString().Trim() %>' NavigateUrl=' <%# DataBinder.Eval(Container, "DataItem.TestId", "onlinetest.aspx?TestId={0}") %>' Target=_blank ID="Hyperlink1" >
</asp:HyperLink>
</ItemTemplate>
</asp:TemplateColumn>
</Columns>
<PagerStyle Visible="False"> </PagerStyle>
</asp:datagrid>
<table cellSpacing="0" cellPadding="0" width="250" border="0">
<tr>
<td align="right"> <asp:label id="lbMoreTest" runat="server">更多>> </asp:label> </td>
</tr>
</table>
</td>
<td width="8"> </td>
<td vAlign="middle" align="center" width="265"> <asp:datagrid id="dgDQues" runat="server" ShowHeader="False" AutoGenerateColumns="False" CellPadding="0"
BorderWidth="0px" Width="250" PageSize="5" GridLines="None" HeaderStyle-Height="15" AllowPaging="True">
<ItemStyle HorizontalAlign="Left" Height="20px" CssClass="lg" VerticalAlign="Middle"> </ItemStyle>
<HeaderStyle Height="15px"> </HeaderStyle>
<Columns>
<asp:BoundColumn DataField="GName">
<ItemStyle Width="25px" CssClass="webt2"> </ItemStyle>
</asp:BoundColumn>
<asp:BoundColumn DataField="SName">
<ItemStyle Width="30px" CssClass="webt2"> </ItemStyle>
</asp:BoundColumn>
<asp:TemplateColumn>
<ItemTemplate>
<asp:HyperLink id=HyperLink2 runat="server" Target="_blank" NavigateUrl=' <%# DataBinder.Eval(Container, "DataItem.DQueId", "Rediscuss.aspx?DQueId={0}") %>' Text=' <%# DataBinder.Eval(Container, "DataItem.DQtitle").ToString().Trim().Length>15 ? DataBinder.Eval(Container, "DataItem.DQtitle").ToString().Trim().Substring(0,15)+"..." : DataBinder.Eval(Container, "DataItem.DQtitle").ToString().Trim() %>' CssClass="org">
</asp:HyperLink>
</ItemTemplate>
</asp:TemplateColumn>
</Columns>
<PagerStyle Visible="False"> </PagerStyle>
</asp:datagrid>
<table cellSpacing="0" cellPadding="0" width="250" border="0">
<tr>
<td align="right"> <asp:label id="lbMoreDQues" runat="server">更多>> </asp:label> <A class="blk" href="courseinfo.aspx?demo=all&democol=4" target="_top"> </A> </td>
</tr>
</table>
</td>
</tr>
<tr height="28">
<td width="265" background="../webimg/demo_Expm.gif"> <FONT face="宋体"> </FONT> </td>
<td width="8"> </td>
<td width="265" background="../webimg/demo_English.gif"> </td>
</tr>
<tr height="122">
<td vAlign="middle" align="center" width="265"> <table cellSpacing="0" cellPadding="0" width="220" border="0">
<tr height="15">
<td> </td>
</tr>
<tr>
<td vAlign="middle"> <a class="org" onclick="javascript:alert('    请先登陆');" href="index.aspx"
target="_parent">    ******。 </a>
</td>
</tr>
<tr height="15">
<td> </td>
</tr>
<tr>
<td align="right"> <asp:label id="lbMoreExpm" runat="server">更多... </asp:label> </td>
</tr>
</table>
</td>
<td width="8"> </td>
<td vAlign="middle" align="center" width="265">
<table cellSpacing="0" cellPadding="0" width="220" border="0">
<tr height="15">
<td> </td>
</tr>
<tr>
<td vAlign="middle"> <a class="org" onclick="javascript:alert('    请先登陆');" href="index.aspx"
target="_parent">    《平台》水平。 </a>
</td>
</tr>
<tr height="15">
<td> </td>
</tr>
<tr>
<td align="right"> <asp:label id="lbMoreEnglish" runat="server">更多... </asp:label> </td>
</tr>
</table>
</td>
</tr>
</table>
</td>
<td width="10" background="../webimg/demo_vline_right.gif"> </td>
</tr>
<tr>
<td background="../webimg/demo_line.gif" colSpan="5" height="16"> </td>
</tr>
<tr>
<td colSpan="5" height="4"> </td>
</tr>
</table>
</form>
<form name="showCw" method="post" action="cosw_play.aspx" target="_blank">
<input type="hidden" name="FileName" id="FileName">
</form>
<form name="showEx" method="post" action="exam_download.aspx" target="_blank">
<input type="hidden" name="ExmId" id="ExmId">
</form>
</body>
</HTML> 这段怎么防注入。？各位可以帮我把写完整的代码发出来嘛？谢谢
NavigateUrl=' <%# DataBinder.Eval(Container, "DataItem.TestId", "onlinetest.aspx?TestId={0}") %>'有这样的链接就要防注最方便的方法就是在对数据库的增删改时，sql不要直接用string拼接，所有参数用参数化形式传递
就是用sqlparameter
要在写数据库的时候做些过滤，比如'号，比如<script等等．不要直接拼sql,用参数化的写法．
操作数据库使用参数化
在global里添加过滤操作
http://topic.csdn.net/u/20080502/09/d0b1cdc8-2336-4608-8bdc-e77afe1df122.html
http://topic.csdn.net/u/20090313/14/81e9fd1d-5792-471f-b2d4-fc9111680960.html
如果要简单一点的话，就用在global里做检测
只要在查询字符串中有' -- , < > ;这个些字符就重定向到非法页面
没有比如像ASP加入某个文件连接。，然后利用那个文件过滤发方法嘛？
.net是面象对象的．不像asp包含一个文件就处理了．
http://hi.baidu.com/cgs_cj/blog/item/c7f160893a7300b40f244401.html