在Global.asax文件里实现通用防SQL注入漏洞程序(适应于post/get请求)
程序员文章站
2024-03-04 13:31:53
首先,创建一个sqlinjectionhelper类完成恶意代码的检查 代码如下: 复制代码 代码如下: using system; using system.collec...
首先,创建一个sqlinjectionhelper类完成恶意代码的检查
代码如下:
using system;
using system.collections.generic;
using system.linq;
using system.web;
using system.text.regularexpressions;
/// <summary>
///sqlinjectionhelper 的摘要说明
/// </summary>
public class sqlinjectionhelper
{
/// <summary>
/// 获取post的数据
/// </summary>
/// <param name="request"></param>
/// <returns></returns>
public static bool validurldata(string request)
{
bool result = false;
if (request == "post")
{
for (int i = 0; i < httpcontext.current.request.form.count; i++)
{
result = validdata(httpcontext.current.request.form[i].tostring());
if (result)
{
break;
}
}
}
else
{
for (int i = 0; i < httpcontext.current.request.querystring.count; i++)
{
result = validdata(httpcontext.current.request.querystring[i].tostring());
if (result)
{
break;
}
}
}
return result;
}
/// <summary>
/// 验证是否存在注入代码
/// </summary>
/// <param name="inputdata"></param>
/// <returns></returns>
private static bool validdata(string inputdata)
{
//验证inputdata是否包含恶意集合
if (regex.ismatch(inputdata, getregexstring()))
{
return true;
}
else
{
return false;
}
}
/// <summary>
/// 获取正则表达式
/// </summary>
/// <returns></returns>
private static string getregexstring()
{
//构造sql的注入关键字符
string[] strchar = { "and", "exec", "insert", "select", "update", "delete", "count", "from", "drop", "asc", "or", "char", "%", ";", ":", "\'", "\"", "-", "chr", "master", "mid", "truncate", "declare", "char", "sitename", "/add", "xp_cmdshell", "net user", "net localgroup administrators", "exec master.dbo.xp_cmdshell" };
string str_regex = ".*(";
for (int i = 0; i < strchar.length - 1; i++)
{
str_regex += strchar[i] + "|";
}
str_regex += strchar[strchar.length - 1] + ").*";
return str_regex;
}
}
有此类后即可使用global.asax中的application_beginrequest(object sender, eventargs e)事件来实现表单或者url提交数据的获取,获取后传给sqlinjectionhelper类validurldata方法来完成检查
代码如下
protected void application_beginrequest(object sender, eventargs e)
{
bool result = false;
result = sqlinjectionhelper.validurldata(request.requesttype.toupper());
if (result)
{
response.write("您提交的数据有恶意字符");
response.end();
}
}
下面以一个小程序测试:
创建一个页面,如下
<%@ page language="c#" autoeventwireup="true" codefile="default.aspx.cs" inherits="_default" %>
<!doctype html public "-//w3c//dtd xhtml 1.0 transitional//en" "http://www.w3.org/tr/xhtml1/dtd/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title></title>
</head>
<body>
<form id="form1" runat="server">
<div>
<asp:textbox id="textbox1" runat="server"></asp:textbox>
<br />
<asp:button id="btnpost" runat="server" text="获取post数据"
onclick="btnpost_click" />
</div>
<asp:button id="btnget" runat="server" text="获取get数据" onclick="btnget_click" />
</form>
</body>
</html>
分别添加单击事件,如下
protected void btnpost_click(object sender, eventargs e)
{
}
protected void btnget_click(object sender, eventargs e)
{
response.redirect("default.aspx?a=1&b=2&c=3");
}
在文本框中输入非法字符串,无论post请求还是get请求,都会被防sql注入程序所截获
代码如下:
复制代码 代码如下:
using system;
using system.collections.generic;
using system.linq;
using system.web;
using system.text.regularexpressions;
/// <summary>
///sqlinjectionhelper 的摘要说明
/// </summary>
public class sqlinjectionhelper
{
/// <summary>
/// 获取post的数据
/// </summary>
/// <param name="request"></param>
/// <returns></returns>
public static bool validurldata(string request)
{
bool result = false;
if (request == "post")
{
for (int i = 0; i < httpcontext.current.request.form.count; i++)
{
result = validdata(httpcontext.current.request.form[i].tostring());
if (result)
{
break;
}
}
}
else
{
for (int i = 0; i < httpcontext.current.request.querystring.count; i++)
{
result = validdata(httpcontext.current.request.querystring[i].tostring());
if (result)
{
break;
}
}
}
return result;
}
/// <summary>
/// 验证是否存在注入代码
/// </summary>
/// <param name="inputdata"></param>
/// <returns></returns>
private static bool validdata(string inputdata)
{
//验证inputdata是否包含恶意集合
if (regex.ismatch(inputdata, getregexstring()))
{
return true;
}
else
{
return false;
}
}
/// <summary>
/// 获取正则表达式
/// </summary>
/// <returns></returns>
private static string getregexstring()
{
//构造sql的注入关键字符
string[] strchar = { "and", "exec", "insert", "select", "update", "delete", "count", "from", "drop", "asc", "or", "char", "%", ";", ":", "\'", "\"", "-", "chr", "master", "mid", "truncate", "declare", "char", "sitename", "/add", "xp_cmdshell", "net user", "net localgroup administrators", "exec master.dbo.xp_cmdshell" };
string str_regex = ".*(";
for (int i = 0; i < strchar.length - 1; i++)
{
str_regex += strchar[i] + "|";
}
str_regex += strchar[strchar.length - 1] + ").*";
return str_regex;
}
}
有此类后即可使用global.asax中的application_beginrequest(object sender, eventargs e)事件来实现表单或者url提交数据的获取,获取后传给sqlinjectionhelper类validurldata方法来完成检查
代码如下
复制代码 代码如下:
protected void application_beginrequest(object sender, eventargs e)
{
bool result = false;
result = sqlinjectionhelper.validurldata(request.requesttype.toupper());
if (result)
{
response.write("您提交的数据有恶意字符");
response.end();
}
}
下面以一个小程序测试:
创建一个页面,如下
复制代码 代码如下:
<%@ page language="c#" autoeventwireup="true" codefile="default.aspx.cs" inherits="_default" %>
<!doctype html public "-//w3c//dtd xhtml 1.0 transitional//en" "http://www.w3.org/tr/xhtml1/dtd/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title></title>
</head>
<body>
<form id="form1" runat="server">
<div>
<asp:textbox id="textbox1" runat="server"></asp:textbox>
<br />
<asp:button id="btnpost" runat="server" text="获取post数据"
onclick="btnpost_click" />
</div>
<asp:button id="btnget" runat="server" text="获取get数据" onclick="btnget_click" />
</form>
</body>
</html>
分别添加单击事件,如下
复制代码 代码如下:
protected void btnpost_click(object sender, eventargs e)
{
}
protected void btnget_click(object sender, eventargs e)
{
response.redirect("default.aspx?a=1&b=2&c=3");
}
在文本框中输入非法字符串,无论post请求还是get请求,都会被防sql注入程序所截获
图1 测试防sql注入程序的页面
图2 错误信息
上一篇: Android编程实现屏幕禁止休眠的方法