防SQL注入函数

  • 格式:doc
  • 大小:62.50 KB
  • 文档页数:10

using System;using System.Text.RegularExpressions;using System.Web;namespace FSqlKeyWord......{/**//**//**//// <summary>/// SqlKey 的摘要说明。

/// </summary>public class SqlKey......{private HttpRequest request;private const string StrKeyWord = @"select|insert|delete|from|count(|drop table|update|truncate|asc(|mid(|char(|xp_cmdshell|exec master|netlocalgroup administrators|:|net user|""|or|and";private const string StrRegex = @"[-|;|,|/|(|)|[|]|}|{|%|@|*|!|']";public SqlKey(System.Web.HttpRequest _request)......{//// TODO: 在此处添加构造函数逻辑//this.request = _request;}/**//**//**//// <summary>/// 只读属性SQL关键字/// </summary>public static string KeyWord......{get......{return StrKeyWord;}}/**//**//**//// <summary>/// 只读属性过滤特殊字符/// </summary>public static string RegexString......{......{return StrRegex;}}/**//**//**//// <summary>/// 检查URL参数中是否带有SQL注入可能关键字。

/// </summary>/// <param name="_request">当前HttpRequest对象</param>/// <returns>存在SQL注入关键字true存在,false不存在</returns> public bool CheckRequestQuery()......{if (request.QueryString.Count != 0)......{//若URL中参数存在,逐个比较参数。

for (int i = 0; i < request.QueryString.Count; i++)......{// 检查参数值是否合法。

if (CheckKeyWord(request.QueryString[i].ToString()))......{return true;}}}return false;}/**//**//**//// <summary>/// 检查提交表单中是否存在SQL注入可能关键字/// </summary>/// <param name="_request">当前HttpRequest对象</param>/// <returns>存在SQL注入关键字true存在,false不存在</returns> public bool CheckRequestForm()......{if (request.Form.Count > 0)......{//获取提交的表单项不为0 逐个比较参数for (int i = 0; i < request.Form.Count; i++)//检查参数值是否合法if (CheckKeyWord(request.Form[i]))......{//存在SQL关键字return true;}}}return false;}/**//**//**//// <summary>/// 静态方法,检查_sword是否包涵SQL关键字/// </summary>/// <param name="_sWord">被检查的字符串</param>/// <returns>存在SQL关键字返回true,不存在返回false</returns>public static bool CheckKeyWord(string _sWord)......{if (Regex.IsMatch(_sWord, StrKeyWord, RegexOptions.IgnoreCase) || Regex.IsMatch(_sWord, StrRegex))return true;return false;}/**//**//**//// <summary>/// 反SQL注入:返回1无注入信息,否则返回错误处理/// </summary>/// <returns>返回1无注入信息,否则返回错误处理</returns>public string CheckMessage()......{string msg = "1";if (CheckRequestQuery()) //CheckRequestQuery() || CheckRequestForm() ......{msg = "<span style='font-size:24px;'>非法操作!<br>";msg += "操作IP:" + request.ServerVariables["REMOTE_ADDR"] + "<br>";msg += "操作时间:" + DateTime.Now + "<br>";msg += "页面:" + request.ServerVariables["URL"].ToLower() + "<br>";msg += "<a href="#" onclick="history.back()">返回上一页</a></span>";}return msg.ToString();}}}function sqlcheck(Str,errtype)if Instr(LCase(Str),"select ") > 0 or Instr(LCase(Str),"insert ") > 0 or Instr(LCase(Str),"delete ") > 0 or Instr(LCase(Str),"delete from ") > 0 or Instr(LCase(Str),"count(") > 0 or Instr(LCase(Str),"drop table") > 0 or Instr(LCase(Str),"update ") > 0 or Instr(LCase(Str),"truncate ") > 0 or Instr(LCase(Str),"asc(") > 0 or Instr(LCase(Str),"mid(") > 0 or Instr(LCase(Str),"char(") > 0 or Instr(LCase(Str),"xp_cmdshell") > 0 or Instr(LCase(Str),"exec master") > 0 or Instr(LCase(Str),"net localgroup administrators") > 0 or Instr(LCase(Str),"and ") > 0 or Instr(LCase(Str),"net user") > 0 or Instr(LCase(Str),"or ") > 0 then Response.write("<script language=javascript>" & vbcrlf & "window.location.href ='ShowError.asp?errtype=" & errtype & "'" & vbcrlf & "</script>")Response.Endend ifStr=Replace(Str,"_","") '过滤SQL注入_Str=Replace(Str,"*","") '过滤SQL注入*Str=Replace(Str," ","") '过滤SQL注入空格Str=Replace(Str,chr(34),"") '过滤SQL注入"Str=Replace(Str,chr(39),"") '过滤SQL注入'Str=Replace(Str,chr(91),"") '过滤SQL注入[Str=Replace(Str,chr(93),"") '过滤SQL注入]Str=Replace(Str,chr(37),"") '过滤SQL注入%Str=Replace(Str,chr(58),"") '过滤SQL注入:Str=Replace(Str,chr(59),"") '过滤SQL注入;Str=Replace(Str,chr(43),"") '过滤SQL注入+Str=Replace(Str,"{","") '过滤SQL注入{Str=Replace(Str,"}","") '过滤SQL注入}sqlcheck=Str '返回经过上面字符替换后的Strend function对于网站的安全性,是每个网站开发者和运营者最关心的问题。