ASP.NET用Global.asax 的Application_BeginRequest事件过滤恶意提交
protected void application_beginrequest(object sender, eventargs e)
{
//遍历post参数,隐藏域除外
foreach (string i in this.request.form)
{
if (i == "__viewstate") continue;
this.goerr(this.request.form[i].tostring());
}
//遍历get参数。
foreach (string i in this.request.querystring)
{
this.goerr(this.request.querystring[i].tostring());
}
}
private void goerr(string tm)
{
if (sqlfilter2(tm))
{
response.redirect("p404.html");
response.end();
}
}
public static bool sqlfilter2(string intext)
{
string word = "and|exec|insert|select|delete|update|chr|mid|master|or|truncate|char|declare|join";
if (intext == null)
return false;
foreach (string i in word.split('|'))
{
if ((intext.tolower().indexof(i + " ") > -1) || (intext.tolower().indexof(" " + i) > -1))
{
return true;
}
}
return false;
}
摘自 bql_email的专栏