sql防注入

技术2022-05-19 19

SqlCheck.cs文件

=============================================================

using System;using System.Data;using System.Configuration;using System.Web;using System.Web.Security;using System.Web.UI;using System.Web.UI.WebControls;using System.Web.UI.WebControls.WebParts;using System.Web.UI.HtmlControls;using System.Data.SqlClient ;/// <summary>/// SqlCheck 的摘要说明/// </summary>

// #region ,#endregion 用于VS代码显示的更美观,能够折叠展开 public class SqlCheck{ public SqlCheck() { // // TODO: 在此处添加构造函数逻辑 // }

public SqlConnection oconn() { SqlConnection conn = new SqlConnection(); conn.ConnectionString = ConfigurationManager.ConnectionStrings["StudyConnectionString"].ToString(); //第1种调用的方法 JK1986_CheckSql(); JK1986_CheckSql(); if ( conn.State == ConnectionState.Closed ) { conn.Open(); } return conn; }

public DataTable getsource(string getds) { SqlConnection conn = oconn(); SqlDataAdapter da = new SqlDataAdapter(getds, conn); DataSet ds = new DataSet(); da.Fill(ds,"news" ); return ds.Tables["news"]; }

public static void JK1986_CheckSql() { string jk1986_sql = "exec↓select↓drop↓alter↓exists↓union↓and↓or↓xor↓order↓mid↓asc↓execute↓xp_cmdshell↓insert↓update↓delete↓join↓declare↓char↓sp_oacreate↓wscript.shell↓xp_regwrite↓'↓;↓--"; string[] jk_sql = jk1986_sql.Split('↓'); foreach (string jk in jk_sql) { // -----------------------防 Post 注入----------------------- if ( System.Web.HttpContext.Current.Request.Form != null) { for (int k = 0; k < System.Web.HttpContext.Current.Request.Form.Count; k++) { string getsqlkey = System.Web.HttpContext.Current.Request.Form.Keys[k]; string getip; if (System.Web.HttpContext.Current.Request.Form[getsqlkey].ToLower().Contains(jk) == true) { System.Web.HttpContext.Current.Response.Write("<script Language=JavaScript>alert('ASP.NET( C#版本 )防注入程序提示您，请勿提交非法字符');</" + "script>"); System.Web.HttpContext.Current.Response.Write("非法操作！系统做了如下记录 ↓" + " "); if (System.Web.HttpContext.Current.Request.ServerVariables["HTTP_X_FORWARDED_FOR"] != null) { getip = System.Web.HttpContext.Current.Request.ServerVariables["HTTP_X_FORWARDED_FOR"]; } else { getip = System.Web.HttpContext.Current.Request.ServerVariables["REMOTE_ADDR"]; } System.Web.HttpContext.Current.Response.Write("操作 I P ：" + getip + " "); System.Web.HttpContext.Current.Response.Write("操作时间：" + DateTime.Now.ToString() + " "); System.Web.HttpContext.Current.Response.Write("操作页面：" + System.Web.HttpContext.Current.Request.ServerVariables["URL"] + " "); System.Web.HttpContext.Current.Response.Write("提交方式：P O S T " + " "); System.Web.HttpContext.Current.Response.Write("提交参数：" + jk + " "); System.Web.HttpContext.Current.Response.Write("提交数据：" + System.Web.HttpContext.Current.Request.Form[getsqlkey].ToLower() + " "); System.Web.HttpContext.Current.Response.End(); } } } // -----------------------防 GET 注入----------------------- if (System.Web.HttpContext.Current.Request.QueryString != null) { for (int k = 0; k < System.Web.HttpContext.Current.Request.QueryString.Count; k++) { string getsqlkey = System.Web.HttpContext.Current.Request.QueryString.Keys[k]; string getip; if (System.Web.HttpContext.Current.Request.QueryString[getsqlkey].ToLower().Contains(jk) == true) { System.Web.HttpContext.Current.Response.Write("<script Language=JavaScript>alert('ASP.NET( C#版本 )防注入程序提示您，请勿提交非法字符！↓');</" + "script>"); System.Web.HttpContext.Current.Response.Write("非法操作！系统做了如下记录 ↓" + " "); if (System.Web.HttpContext.Current.Request.ServerVariables["HTTP_X_FORWARDED_FOR"] != null) { getip = System.Web.HttpContext.Current.Request.ServerVariables["HTTP_X_FORWARDED_FOR"]; } else { getip = System.Web.HttpContext.Current.Request.ServerVariables["REMOTE_ADDR"]; } System.Web.HttpContext.Current.Response.Write("操作 I P ：" + getip + " "); System.Web.HttpContext.Current.Response.Write("操作时间：" + DateTime.Now.ToString() + " "); System.Web.HttpContext.Current.Response.Write("操作页面：" + System.Web.HttpContext.Current.Request.ServerVariables["URL"] + " "); System.Web.HttpContext.Current.Response.Write("提交方式：G E T " + " "); System.Web.HttpContext.Current.Response.Write("提交参数：" + jk + " "); System.Web.HttpContext.Current.Response.Write("提交数据：" + System.Web.HttpContext.Current.Request.QueryString[getsqlkey].ToLower() + " "); System.Web.HttpContext.Current.Response.End(); } } }

// -----------------------防 Cookies 注入----------------------- if (System.Web.HttpContext.Current.Request.Cookies != null) { for (int k = 0; k < System.Web.HttpContext.Current.Request.Cookies.Count; k++) { string getsqlkey = System.Web.HttpContext.Current.Request.Cookies.Keys[k]; string getip; if (System.Web.HttpContext.Current.Request.Cookies[getsqlkey].Value.ToLower().Contains(jk) == true) { System.Web.HttpContext.Current.Response.Write("<script Language=JavaScript>alert('ASP.NET( C#版本 )防注入程序提示您，请勿提交非法字符！↓');</" + "script>"); System.Web.HttpContext.Current.Response.Write("非法操作！系统做了如下记录 ↓" + " "); if (System.Web.HttpContext.Current.Request.ServerVariables["HTTP_X_FORWARDED_FOR"] != null) { getip = System.Web.HttpContext.Current.Request.ServerVariables["HTTP_X_FORWARDED_FOR"]; } else { getip = System.Web.HttpContext.Current.Request.ServerVariables["REMOTE_ADDR"]; } System.Web.HttpContext.Current.Response.Write("操作 I P ：" + getip + " "); System.Web.HttpContext.Current.Response.Write("操作时间：" + DateTime.Now.ToString() + " "); System.Web.HttpContext.Current.Response.Write("操作页面：" + System.Web.HttpContext.Current.Request.ServerVariables["URL"] + " "); System.Web.HttpContext.Current.Response.Write("提交方式： Cookies " + " "); System.Web.HttpContext.Current.Response.Write("提交参数：" + jk + " "); System.Web.HttpContext.Current.Response.Write("提交数据：" + System.Web.HttpContext.Current.Request.Cookies[getsqlkey].Value.ToLower() + " "); System.Web.HttpContext.Current.Response.End(); } } }

} } }

使用方法:

=================================

在数据库连接处调用即可，当然也可在Page_Load事件中调用。

不过在这里强烈建议在数据库处调用，可参照以下代码调用:

SqlConnection conn = new SqlCheck().oconn(); // 第2种调用的方法 SqlCheck.JK1986_CheckSql(); string osql = "select count(*) from admin"; SqlCommand ocmd = new SqlCommand(osql, conn); 使用本程序可以方便的让您在开发项目的时候远离SQL注射困扰。

专利

最新回复(0)