Add filters sensitive in the global program sql
protected void Application_BeginRequest(object sender, EventArgs e)
{
//遍历Post参数,隐藏域除外
foreach (string i in this.Request.Form)
{
if (i == "__VIEWSTATE") continue;
this.goErr(this.Request.Form[i].ToString(), i);
}
//遍历Get参数。
foreach (string i in this.Request.QueryString)
{
this.goErr(this.Request.QueryString[i].ToString(), i);
}
//遍历Cookie
if (Request.Cookies["UserSettings"] != null && Request.Cookies["UserSettings"]["user_id"] != null)
{
this.goErr(Request.Cookies["UserSettings"]["user_id"], "Cookie_UserSettings_User_id");
}
}
/// <summary>
/// parameter check whether there are SQL characters
/// </ Summary>
/// <param name = "(TM)"> </ param>
Private void goErr ((TM) String, String parmeterName)
{
IF (parmeterName == null) parmeterName = string.Empty;
IF (sqlfilter ( (TM), parmeterName))
{
String RURL = "HTTP: //" + + Request.Url.Authority Request.RawUrl.ToString () Split () [0];. '?'
Response.Redirect ( "/ the Error.aspx? = RURL "+ Server.UrlEncode (RURL));
}
}
/// <Summary>
/// the SQL injection filter
/// </ Summary>
/// <param name =" InText "> to filter string < / param>
/// <returns> parameter is present if unsafe, the true </ returns> returns
public bool sqlFilter (string InText,parmeterName String)
{
// check to exclude the collection of pages has been with "|", such as subdirectories, please write the name of the parent directory, such as: /exam/aaa.aspx, all lowercase
string excludePageName = "coursemanager/addcourse.aspx|TrainingClass/TrainingClassEdit.aspx|Exam/exam_result.aspx".ToLower();
string url = Request.Url.ToString().Split('?')[0].Trim().ToLower();
foreach (string s in excludePageName.Split('|'))
{
if (url.Contains(s) && !string.IsNullOrEmpty(s))
return false;
}
//关键字过滤
string word = "and|exec|execute|insert|select|delete|update|chr|mid|master|or|truncate|char|declare|join|cmd|drop|xp_cmdshell|xp_delete_file|xp_regread|xp_regwrite|xp_dirtree";
if (InText == null)
return false;
InText = InText.ToLower();
parmeterName = parmeterName.ToLower();
foreach (string i in word.Split('|'))
{
if ((InText.IndexOf("" + i + "") > -1))
{
return true;
}
}
// special character filtering
string excludeName = "$ password | loginpass | txtremark | ftbContent" .ToLower (); // similar name to exclude a set of special characters to determine the controls have been with "|"
bool isCheckChar = true; // default to be check special character
the foreach (String S in excludeName.Split ( '|'))
{
IF (parmeterName.Contains (S))
isCheckChar = to false;
}
IF (isCheckChar)
{
IF (InText.Contains ( " '"))
{
return to true;
}
// the else IF (InText.Contains ( ""))
// {
// return to true;
//}
// the else IF (InText.Contains ( "+"))
// {
// return to true;
/ /}
// the else IF (InText.Contains ( "-"))
// {
// return to true;
//}
else if (InText.Contains("/*"))
{
return true;
}
else if (InText.Contains("*/"))
{
return true;
}
}
return false;
}