1 using System;
2 using System.Web;
3 using System.Collections;
4 using System.ComponentModel;
5 using System.Web.SessionState;
6 using System.Configuration;
7 using System.Data;
8 using System.IO;
9 using System.Web.Security;
10 using LTP.Accounts.Bus;
11 namespace cxyy.Web
12 {
13 /// <summary>
14 /// Global 的摘要说明。
15 /// </summary>
16 public class Global : System.Web.HttpApplication, IRequiresSessionState
17 {
18 /// <summary>
19 /// 必需的设计器变量。
20 /// </summary>
21 private System.ComponentModel.IContainer components = null;
22
23 public Global()
24 {
25 InitializeComponent();
26 }
27
28 protected void Application_Start(Object sender, EventArgs e)
29 {
30
31 }
32
33 protected void Session_Start(Object sender, EventArgs e)
34 {
35 Session["Style"]=1;
36 }
37 protected void Application_BeginRequest(Object sender, EventArgs e)
38 {
39 StartProcessRequest();
40 }
41 protected void Application_EndRequest(Object sender, EventArgs e)
42 {
43 }
44 protected void Application_AcquireRequestState(Object sender, EventArgs e)
45 {
46 HttpApplication happ = (HttpApplication)sender;
47 HttpContext context = happ.Context;
48 string url = context.Request.RawUrl;
49 string path = url.Split('/')[1];
50 switch (path)
51 {
52 case "user":
53 case "User":
54
55 if (HttpContext.Current.Session != null)
56 {
57 if (HttpContext.Current.Session["user"] == null)
58 {
59 Response.Redirect("/Register/index.aspx?1111111111111");
60 }
61 }
62 else
63 {
64 Response.Redirect("/Register/index.aspx?3333333333333");
65 }
66 break;
67 case "admin":
68 break;
69 default:
70 break;
71 }
72 }
73 protected void Application_AuthenticateRequest(Object sender, EventArgs e)
74 {
75
76 }
77 protected void Application_Error(Object sender, EventArgs e)
78 {
79
80 }
81 protected void Session_End(Object sender, EventArgs e)
82 {
83
84 }
85 protected void Application_End(Object sender, EventArgs e)
86 {
87 }
88
89 #region Web 窗体设计器生成的代码
90 /// <summary>
91 /// 设计器支持所需的方法 - 不要使用代码编辑器修改
92 /// 此方法的内容。
93 /// </summary>
94 private void InitializeComponent()
95 {
96 this.components = new System.ComponentModel.Container();
97 }
98 #endregion
99 #region SQL注入式攻击代码分析
100 /// <summary>
101 /// 处理用户提交的请求
102 /// </summary>
103 private void StartProcessRequest()
104 {
105 try
106 {
107 string getkeys = "";
108 string sqlErrorPage = "/default.aspx";//如果有非法参数,转向的错误提示页面
109 if (System.Web.HttpContext.Current.Request.QueryString != null)
110 {
111 for (int i = 0; i < System.Web.HttpContext.Current.Request.QueryString.Count; i++)
112 {
113 getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys[i];
114 if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys]))
115 {
116 System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);
117 System.Web.HttpContext.Current.Response.End();
118 }
119 }
120 }
121 if (System.Web.HttpContext.Current.Request.Form != null)
122 {
123 for (int i = 0; i < System.Web.HttpContext.Current.Request.Form.Count; i++)
124 {
125 getkeys = System.Web.HttpContext.Current.Request.Form.Keys[i];
126 if (getkeys == "__VIEWSTATE") continue;
127 if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys]))
128 {
129 System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);
130 System.Web.HttpContext.Current.Response.End();
131 }
132 }
133 }
134 if (System.Web.HttpContext.Current.Request.Cookies != null)
135 {
136 for (int i = 0; i < System.Web.HttpContext.Current.Request.Cookies.Count; i++)
137 {
138 getkeys = System.Web.HttpContext.Current.Request.Cookies.Keys[i];
139 if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Cookies[getkeys].ToString()))
140 {
141 System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);
142 System.Web.HttpContext.Current.Response.End();
143 }
144 }
145 }
146 }
147 catch
148 {
149 // 错误处理: 处理用户提交信息!
150 }
151 }
152 /// <summary>
153 /// 分析用户请求是否正常
154 /// </summary>
155 /// <param name="Str">传入用户提交数据 </param>
156 /// <returns>返回是否含有SQL注入式攻击代码 </returns>
157 private bool ProcessSqlStr(string Str)
158 {
159 bool ReturnValue = true;
160 try
161 {
162 if (Str.Trim() != "")
163 {
164 string SqlStr = "and |exec |insert |select |delete |update |count |* |chr |mid |master |truncate |char |declare";
165
166 string[] anySqlStr = SqlStr.Split('|');
167 foreach (string ss in anySqlStr)
168 {
169 if (Str.ToLower().IndexOf(ss) >= 0)
170 {
171 ReturnValue = false;
172 break;
173 }
174 }
175 }
176 }
177 catch
178 {
179 ReturnValue = false;
180 }
181 return ReturnValue;
182 }
183 #endregion
184
185 }
186 }
187
2 using System.Web;
3 using System.Collections;
4 using System.ComponentModel;
5 using System.Web.SessionState;
6 using System.Configuration;
7 using System.Data;
8 using System.IO;
9 using System.Web.Security;
10 using LTP.Accounts.Bus;
11 namespace cxyy.Web
12 {
13 /// <summary>
14 /// Global 的摘要说明。
15 /// </summary>
16 public class Global : System.Web.HttpApplication, IRequiresSessionState
17 {
18 /// <summary>
19 /// 必需的设计器变量。
20 /// </summary>
21 private System.ComponentModel.IContainer components = null;
22
23 public Global()
24 {
25 InitializeComponent();
26 }
27
28 protected void Application_Start(Object sender, EventArgs e)
29 {
30
31 }
32
33 protected void Session_Start(Object sender, EventArgs e)
34 {
35 Session["Style"]=1;
36 }
37 protected void Application_BeginRequest(Object sender, EventArgs e)
38 {
39 StartProcessRequest();
40 }
41 protected void Application_EndRequest(Object sender, EventArgs e)
42 {
43 }
44 protected void Application_AcquireRequestState(Object sender, EventArgs e)
45 {
46 HttpApplication happ = (HttpApplication)sender;
47 HttpContext context = happ.Context;
48 string url = context.Request.RawUrl;
49 string path = url.Split('/')[1];
50 switch (path)
51 {
52 case "user":
53 case "User":
54
55 if (HttpContext.Current.Session != null)
56 {
57 if (HttpContext.Current.Session["user"] == null)
58 {
59 Response.Redirect("/Register/index.aspx?1111111111111");
60 }
61 }
62 else
63 {
64 Response.Redirect("/Register/index.aspx?3333333333333");
65 }
66 break;
67 case "admin":
68 break;
69 default:
70 break;
71 }
72 }
73 protected void Application_AuthenticateRequest(Object sender, EventArgs e)
74 {
75
76 }
77 protected void Application_Error(Object sender, EventArgs e)
78 {
79
80 }
81 protected void Session_End(Object sender, EventArgs e)
82 {
83
84 }
85 protected void Application_End(Object sender, EventArgs e)
86 {
87 }
88
89 #region Web 窗体设计器生成的代码
90 /// <summary>
91 /// 设计器支持所需的方法 - 不要使用代码编辑器修改
92 /// 此方法的内容。
93 /// </summary>
94 private void InitializeComponent()
95 {
96 this.components = new System.ComponentModel.Container();
97 }
98 #endregion
99 #region SQL注入式攻击代码分析
100 /// <summary>
101 /// 处理用户提交的请求
102 /// </summary>
103 private void StartProcessRequest()
104 {
105 try
106 {
107 string getkeys = "";
108 string sqlErrorPage = "/default.aspx";//如果有非法参数,转向的错误提示页面
109 if (System.Web.HttpContext.Current.Request.QueryString != null)
110 {
111 for (int i = 0; i < System.Web.HttpContext.Current.Request.QueryString.Count; i++)
112 {
113 getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys[i];
114 if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys]))
115 {
116 System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);
117 System.Web.HttpContext.Current.Response.End();
118 }
119 }
120 }
121 if (System.Web.HttpContext.Current.Request.Form != null)
122 {
123 for (int i = 0; i < System.Web.HttpContext.Current.Request.Form.Count; i++)
124 {
125 getkeys = System.Web.HttpContext.Current.Request.Form.Keys[i];
126 if (getkeys == "__VIEWSTATE") continue;
127 if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys]))
128 {
129 System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);
130 System.Web.HttpContext.Current.Response.End();
131 }
132 }
133 }
134 if (System.Web.HttpContext.Current.Request.Cookies != null)
135 {
136 for (int i = 0; i < System.Web.HttpContext.Current.Request.Cookies.Count; i++)
137 {
138 getkeys = System.Web.HttpContext.Current.Request.Cookies.Keys[i];
139 if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Cookies[getkeys].ToString()))
140 {
141 System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);
142 System.Web.HttpContext.Current.Response.End();
143 }
144 }
145 }
146 }
147 catch
148 {
149 // 错误处理: 处理用户提交信息!
150 }
151 }
152 /// <summary>
153 /// 分析用户请求是否正常
154 /// </summary>
155 /// <param name="Str">传入用户提交数据 </param>
156 /// <returns>返回是否含有SQL注入式攻击代码 </returns>
157 private bool ProcessSqlStr(string Str)
158 {
159 bool ReturnValue = true;
160 try
161 {
162 if (Str.Trim() != "")
163 {
164 string SqlStr = "and |exec |insert |select |delete |update |count |* |chr |mid |master |truncate |char |declare";
165
166 string[] anySqlStr = SqlStr.Split('|');
167 foreach (string ss in anySqlStr)
168 {
169 if (Str.ToLower().IndexOf(ss) >= 0)
170 {
171 ReturnValue = false;
172 break;
173 }
174 }
175 }
176 }
177 catch
178 {
179 ReturnValue = false;
180 }
181 return ReturnValue;
182 }
183 #endregion
184
185 }
186 }
187
我不知道别的方法,开始自己写个过滤器,然后注册,感觉也蛮好的哈,不过都是网上摘的,还是系统原来自带的文件来的感觉踏实。。。不知道会不会有错误,先这么写着吧
下面是抄的
前段时间因为一特定需求写了下面代码。需求如下:在用户访问本站所有aspx页面时,首先判断用户Session["login"]是否存在,如果不存在,说明该用户未登陆,要让该用户跳转到指定的页面。所以想写一个Session的过滤器,思前想后应该写一个继承IHttpModule的处理类。试验了几种方式发现只有将方法加在.AcquireRequestState中才能读取session。
共享代码如下 MyModule.cs
1 using System;
2 using System.Data;
3 using System.Configuration;
4 using System.Web;
5 using System.Web.Security;
6 using System.Web.UI;
7 using System.Web.UI.WebControls;
8 using System.Web.UI.WebControls.WebParts;
9 using System.Web.UI.HtmlControls;
10
11
12 /// <summary>
13 /// MyModule 的摘要说明
14 /// </summary>
15 public class MyModule:IHttpModule
16 {
17 public MyModule()
18 {
19 //
20 // TODO: 在此处添加构造函数逻辑
21 //
22 }
23
24 #region IHttpModule 成员
25
26 public void Dispose()
27 {
28 throw new Exception("The method or operation is not implemented.");
29 }
30
31 public void Init(HttpApplication context)
32 {
33 context.AcquireRequestState += new EventHandler(application_AcquireRequestState);
34 }
35 public void application_AcquireRequestState(object sender, EventArgs e)
36 {
37 HttpApplication app = (HttpApplication)sender;
38
39
40 if (app.Context.Session["userName"] == null || app.Context.Session["userName"].ToString().Trim() == "")
41 {
42 app.Context.Server.Transfer("login.aspx");
43 }
44 }
45 #endregion
46
47
48
49 webconfig 配置如下
50
51 <system.web>
52
53 <httpModules>
54 <add name="myModule" type="MyModule"/>
55 </httpModules>
56
57 </system.web>
58
2 using System.Data;
3 using System.Configuration;
4 using System.Web;
5 using System.Web.Security;
6 using System.Web.UI;
7 using System.Web.UI.WebControls;
8 using System.Web.UI.WebControls.WebParts;
9 using System.Web.UI.HtmlControls;
10
11
12 /// <summary>
13 /// MyModule 的摘要说明
14 /// </summary>
15 public class MyModule:IHttpModule
16 {
17 public MyModule()
18 {
19 //
20 // TODO: 在此处添加构造函数逻辑
21 //
22 }
23
24 #region IHttpModule 成员
25
26 public void Dispose()
27 {
28 throw new Exception("The method or operation is not implemented.");
29 }
30
31 public void Init(HttpApplication context)
32 {
33 context.AcquireRequestState += new EventHandler(application_AcquireRequestState);
34 }
35 public void application_AcquireRequestState(object sender, EventArgs e)
36 {
37 HttpApplication app = (HttpApplication)sender;
38
39
40 if (app.Context.Session["userName"] == null || app.Context.Session["userName"].ToString().Trim() == "")
41 {
42 app.Context.Server.Transfer("login.aspx");
43 }
44 }
45 #endregion
46
47
48
49 webconfig 配置如下
50
51 <system.web>
52
53 <httpModules>
54 <add name="myModule" type="MyModule"/>
55 </httpModules>
56
57 </system.web>
58