using System;using System.Data;using System.Configuration;using System.Web;using System.Web.Security;using System.Web.UI;using System.Web.UI.WebControls;using System.Web.UI.WebControls.WebParts;using System.Web.UI.HtmlControls;using Microsoft.VisualBasic;
/// <summary>/// CheckSql 的摘要说明/// </summary>public class CheckSql{ Base objbase=new Base(); public string[] N_noarray; //private Int16 N_i; private string req_Qs, req_F, N_dbstr, N_rs, N_userIP, N_thispage; public System.Web.HttpRequest request; public System.Web.HttpResponse response; public CheckSql() { // // TODO: 在此处添加构造函数逻辑 // } public static bool CheckStr(string str) { string N_no = ";|'|*|%| and |20%and20%| master |20%master20%|exec|insert|select|delete|count|chr|mid|truncate|char|declare"; string[] N_noarray = N_no.Split(new char[] { '|' }); for (int i = 0; i < N_noarray.Length; i++) { if (Strings.InStr(1, str, N_noarray[i], CompareMethod.Text) > 0) { return false; } } return true; }
public void CheckBadstring() { N_userIP = request.ServerVariables["REMOTE_ADDR"]; N_thispage = request.ServerVariables["URL"].ToLower();
N_check_Qs(); N_check_form(); }
private void N_check_form() { if (request.Form.Count != 0) { for(int i=0;i<request.Form.Count;i++) { if (request.Form[i].Length > 0 && request.Form[i].Length < 30) { n_check(req_F, request.Form[i], "POST"); } } } }
private void N_check_Qs() { if( request.QueryString.Count != 0) { for (int i = 0; i < request.QueryString.Count; i++) { n_check(req_Qs, request.QueryString[i], "GET"); } } } private void n_check(string ag, string agsql,string sqltype) { string N_no = ";|'|*|%| and |20%and20%| master |20%master20%|exec|insert|select|delete|count|chr|mid|truncate|char|declare"; N_noarray = N_no.Split(new char[] { '|' }); for (int i = 0; i < N_noarray.Length; i++) { if (Strings.InStr(1, agsql.ToLower(), N_noarray[i], CompareMethod.Text) > 0) { N_regsql(ag, agsql, sqltype); } } }
private void N_regsql(string ag, string agsql, string sqltype) { string sql; string agsql1=agsql; if(agsql.IndexOf("'") > -1) { agsql1 = agsql.Replace("'", "##") ;//'单引号用##替代 }
sql = "insert into SqlIn(Sqlin_IP,Sqlin_Web,Sqlin_Fs,SqlIn_Cs,Sqlin_Sj,Sqlin_date) values ('" + N_userIP + "','" + N_thispage + "','" + sqltype + "','" + ag + "','" + agsql1 + "',getdate())";
if (sqltype != "OTHER") { objbase.ExecTransact(sql); response.Write("<script> Language=Javascript>alert('请不要在参数中包含非法字符尝试注入!');</script>"); response.Write("<span style='font-size:12px'>非法操作!系统做了如下记录!<br>"); response.Write("操作IP:" + N_userIP + "<br>"); response.Write("操作时间:" + DateTime.Now + "<br>"); response.Write("操作页面:" + N_thispage + "<br>"); response.Write("提交方式:" + sqltype + "<br>"); //response.Write("提交参数:" + ag + "<br>"); response.Write("提交数据:" + agsql + "</span>"); response.End(); } }} 使用时在页面中需要验证的位置加入:
CheckSql checksql = new CheckSql(); checksql.request = this.Request; checksql.response = this.Response; checksql.CheckBadstring();
