.net程序防止sql注入源代码（转）

一个.net程序防止sql注入的方法，方式一如下：将下面的代码加入到Global.asax文件中：

    ///<summary>

    ///防止SQL注入

    ///</summary>

    ///<param ></param>

    ///<param ></param>

    void Application_BeginRequest(Object sender, EventArgs e)

    {

        StartProcessRequest();

 

    }

#region SQL注入式攻击代码分析

    ///<summary>

    ///处理用户提交的请求

    ///</summary>

    private void StartProcessRequest()

    {

        try

        {

            string getkeys = "";

            string sqlErrorPage = "error.aspx";//转向的错误提示页面

            if (System.Web.HttpContext.Current.Request.QueryString != null)

            {

 

                for (int i = 0; i < System.Web.HttpContext.Current.Request.QueryString.Count; i++)

                {

                    getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys[i];

                    if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys]))

                    {

                        System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);

                        System.Web.HttpContext.Current.Response.End();

                    }

                }

            }

            if (System.Web.HttpContext.Current.Request.Form != null)

            {

                for (int i = 0; i < System.Web.HttpContext.Current.Request.Form.Count; i++)

                {

                    getkeys = System.Web.HttpContext.Current.Request.Form.Keys[i];

                    if (getkeys == "__VIEWSTATE") continue;

                    if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys]))

                    {

                        System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);

                        System.Web.HttpContext.Current.Response.End();

                    }

                }

           }

        }

        catch

        {

            // 错误处理: 处理用户提交信息!

        }

    }

    ///<summary>

    ///分析用户请求是否正常

    ///</summary>

    ///<param >传入用户提交数据 </param>

    ///<returns>返回是否含有SQL注入式攻击代码 </returns>

    private bool ProcessSqlStr(string Str)

    {

        bool ReturnValue = true;

        try

        {

            if (Str.Trim() != "")

            {

                string SqlStr = "and .exec .insert .select .delete .update .count .* .chr .mid .master .truncate .char .declare";

 

                string[] anySqlStr = SqlStr.Split('.');

                foreach (string ss in anySqlStr)

                {

                    if (Str.ToLower().IndexOf(ss) >= 0)

                    {

                        ReturnValue = false;

                        break;

                    }

                }

            }

        }

        catch

        {

            ReturnValue = false;

        }

        return ReturnValue;

    }

    #endregion

方法二如下：在App_Code文件夹中加一个类SqlZr.cs 其内容如下

 

public class SqlZr

{

     public SqlZr()

     {

         //

         // TODO: 在此处添加构造函数逻辑

         //

     }

    public static string DelSQLStr(string str)

    {

        if (str == null || str == "")

            return "";

        str = str.Replace(";", "");

        str = str.Replace("'", "");

        str = str.Replace("&", "");

        str = str.Replace("%20", "");

        str = str.Replace("--", "");

        str = str.Replace("==", "");

        str = str.Replace("<", "");

        str = str.Replace(">", "");

        str = str.Replace("%", "");

        str = str.Replace("+", "");

        str = str.Replace("-", "");

        str = str.Replace("=", "");

        str = str.Replace(",", "");

        return str;

    }

}

 

再将所有项目中的Request.QueryString["id"]改为：

SqlZr.DelSQLStr(Request.QueryString["id"])即可