C#防范Sql注入
+展开
asp注入检查的查看下面这篇文章
数据库被注入解决办法
-C#
using System;
using System.Web;
using System.Data;
using System.Data.SqlClient;
using System.Text;
using System.Text.RegularExpressions;
using System.Collections.Specialized;
/// <summary>
/// 检查类
/// </summary>
public class Check{
/// <summary>
/// 检查参数是否为空
/// </summary>
/// <param name="str">检查的变量</param>
/// <returns>不为空返回true,空返回false</returns>
public static bool IsNotNull(string str)
{
bool ok = true;
if (str == null || str.Trim() == "") ok = false;
return ok;
}
/// <summary>
/// 判断是否为数字
/// </summary>
/// <param name="str">检查的变量</param>
/// <returns>是数字返回true,反正返回false</returns>
public static bool IsInt(string str)
{
bool ok = true;
if (!IsNotNull(str) || !Regex.IsMatch(str.Trim(), @"^\d+(.\d+)?$")) ok = false;
return ok;
}
/// <summary>
/// 把注入写入数据库中已备用
/// </summary>
/// <param name="IP">客户ip</param>
/// <param name="WebPage">访问的页面</param>
/// <param name="Method">提交方法</param>
/// <param name="Key">出现注入的参数名称</param>
/// <param name="Value">注入的值</param>
/// <param name="_cn">连接对象</param>
private static void WriteSQLInject(string IP, string WebPage, string Method, string Key, string Value, SqlConnection _cn)
{
/*这里为记录注入插入注入记录的C#代码,这里就不列出来了。*/
}
/// <summary>
/// get提交,当参数都为数字时,检查是否为非数字
/// </summary>
/// <param name="IP">客户IP</param>
/// <param name="WebPage">访问的页面</param>
/// <param name="keys">需要检查的键集合,其值一定需要为整数</param>
/// <param name="_cn">连接对象</param>
/// <returns>全为数字返回false,否则true</returns>
private static bool GetIntCheck(string IP, string WebPage, string[] keys, SqlConnection _cn)
{
bool IsNaN = false;//默认全为数字
NameValueCollection nvc = HttpContext.Current.Request.QueryString;
foreach (string key in keys)
if (!IsInt(nvc[key]))//不是数字
{
WriteSQLInject(IP, WebPage, "GET", key, IsNotNull(nvc[key]) ? nvc[key] : "参数丢失", _cn);
IsNaN = true;
break;
}
return IsNaN;
}
/// <summary>
/// 检查参数中是否含非法字符
/// </summary>
/// <param name="IP">客户IP</param>
/// <param name="WebPage">访问的页面</param>
/// <param name="Method">提交方法名称</param>
/// <param name="_cn">连接对象</param>
/// <returns>含有返回true,否则false</returns>
private static bool GetPostCheck(string IP, string WebPage, string Method, SqlConnection _cn)
{
bool SqlIn = false;//默认没有
NameValueCollection nvc = Method == "GET" ? HttpContext.Current.Request.QueryString : HttpContext.Current.Request.Form;
//定义get/post提交时要过滤掉的关键字
string[] forbids = Method == "GET" ? "#|exec|insert|select|delete|update|%|chr|mid|master|truncate|declare|*".Split('|')
: "exec|insert|delete|update|master|truncate|declare".Split('|');
foreach (string key in nvc.Keys)
{
foreach (string fkey in forbids)
{
if (nvc[key].IndexOf(fkey) != -1)
{
WriteSQLInject(IP, WebPage, Method, key, nvc[key], _cn);
return true;//直接返回
}
}
}
return SqlIn;
}
/// <summary>
/// SQL注入检查,如果出现问题则直接停止程序执行转向错误页面。要写数据库
/// </summary>
/// <param name="keys">为get时判断是否为数字的键集合</param>
/// <param name="_cn">连接对象</param>
public static void SQLInject(SqlConnection _cn,params string[] keys,)
{
bool IsErr = false;
string url = HttpContext.Current.Request.ServerVariables["url"], ip = DBOP.GetIP();
if (keys.Length>0) IsErr = GetIntCheck(ip, url, keys, _cn);//参数为int形时的检查
//如果不是上面的则先检查get方法然后再post方法
if ( !IsErr) IsErr = GetPostCheck(ip, url, "GET", _cn);//如果get不是数字检查时检测get方法
if ( !IsErr) IsErr = GetPostCheck(ip, url, "POST", _cn);//如果get通过了,检查post方法
if (IsErr)//出现错误时关闭数据库连接,转向自定义的错误页,并终止程序执行
{
_cn.Close();//关闭数据库
HttpContext.Current.Response.Redirect("~/err.html?err=1&ip=" + ip);
HttpContext.Current.Response.End();
}
}
}
using System.Web;
using System.Data;
using System.Data.SqlClient;
using System.Text;
using System.Text.RegularExpressions;
using System.Collections.Specialized;
/// <summary>
/// 检查类
/// </summary>
public class Check{
/// <summary>
/// 检查参数是否为空
/// </summary>
/// <param name="str">检查的变量</param>
/// <returns>不为空返回true,空返回false</returns>
public static bool IsNotNull(string str)
{
bool ok = true;
if (str == null || str.Trim() == "") ok = false;
return ok;
}
/// <summary>
/// 判断是否为数字
/// </summary>
/// <param name="str">检查的变量</param>
/// <returns>是数字返回true,反正返回false</returns>
public static bool IsInt(string str)
{
bool ok = true;
if (!IsNotNull(str) || !Regex.IsMatch(str.Trim(), @"^\d+(.\d+)?$")) ok = false;
return ok;
}
/// <summary>
/// 把注入写入数据库中已备用
/// </summary>
/// <param name="IP">客户ip</param>
/// <param name="WebPage">访问的页面</param>
/// <param name="Method">提交方法</param>
/// <param name="Key">出现注入的参数名称</param>
/// <param name="Value">注入的值</param>
/// <param name="_cn">连接对象</param>
private static void WriteSQLInject(string IP, string WebPage, string Method, string Key, string Value, SqlConnection _cn)
{
/*这里为记录注入插入注入记录的C#代码,这里就不列出来了。*/
}
/// <summary>
/// get提交,当参数都为数字时,检查是否为非数字
/// </summary>
/// <param name="IP">客户IP</param>
/// <param name="WebPage">访问的页面</param>
/// <param name="keys">需要检查的键集合,其值一定需要为整数</param>
/// <param name="_cn">连接对象</param>
/// <returns>全为数字返回false,否则true</returns>
private static bool GetIntCheck(string IP, string WebPage, string[] keys, SqlConnection _cn)
{
bool IsNaN = false;//默认全为数字
NameValueCollection nvc = HttpContext.Current.Request.QueryString;
foreach (string key in keys)
if (!IsInt(nvc[key]))//不是数字
{
WriteSQLInject(IP, WebPage, "GET", key, IsNotNull(nvc[key]) ? nvc[key] : "参数丢失", _cn);
IsNaN = true;
break;
}
return IsNaN;
}
/// <summary>
/// 检查参数中是否含非法字符
/// </summary>
/// <param name="IP">客户IP</param>
/// <param name="WebPage">访问的页面</param>
/// <param name="Method">提交方法名称</param>
/// <param name="_cn">连接对象</param>
/// <returns>含有返回true,否则false</returns>
private static bool GetPostCheck(string IP, string WebPage, string Method, SqlConnection _cn)
{
bool SqlIn = false;//默认没有
NameValueCollection nvc = Method == "GET" ? HttpContext.Current.Request.QueryString : HttpContext.Current.Request.Form;
//定义get/post提交时要过滤掉的关键字
string[] forbids = Method == "GET" ? "#|exec|insert|select|delete|update|%|chr|mid|master|truncate|declare|*".Split('|')
: "exec|insert|delete|update|master|truncate|declare".Split('|');
foreach (string key in nvc.Keys)
{
foreach (string fkey in forbids)
{
if (nvc[key].IndexOf(fkey) != -1)
{
WriteSQLInject(IP, WebPage, Method, key, nvc[key], _cn);
return true;//直接返回
}
}
}
return SqlIn;
}
/// <summary>
/// SQL注入检查,如果出现问题则直接停止程序执行转向错误页面。要写数据库
/// </summary>
/// <param name="keys">为get时判断是否为数字的键集合</param>
/// <param name="_cn">连接对象</param>
public static void SQLInject(SqlConnection _cn,params string[] keys,)
{
bool IsErr = false;
string url = HttpContext.Current.Request.ServerVariables["url"], ip = DBOP.GetIP();
if (keys.Length>0) IsErr = GetIntCheck(ip, url, keys, _cn);//参数为int形时的检查
//如果不是上面的则先检查get方法然后再post方法
if ( !IsErr) IsErr = GetPostCheck(ip, url, "GET", _cn);//如果get不是数字检查时检测get方法
if ( !IsErr) IsErr = GetPostCheck(ip, url, "POST", _cn);//如果get通过了,检查post方法
if (IsErr)//出现错误时关闭数据库连接,转向自定义的错误页,并终止程序执行
{
_cn.Close();//关闭数据库
HttpContext.Current.Response.Redirect("~/err.html?err=1&ip=" + ip);
HttpContext.Current.Response.End();
}
}
}
asp注入检查的查看下面这篇文章
数据库被注入解决办法
加支付宝好友偷能量挖...
原创文章,转载请注明出处:C#防范Sql注入