aspx中如何加防恶意刷新代码
发布网友
发布时间:2022-08-24 12:47
共1个回答
热心网友
时间:2024-11-26 06:58
<%@ Application Language="C#" %>
<script RunAt="server">
void Application_BeginRequest(Object sender, EventArgs e)
{
StartProcessRequest();
}
#region SQL注入式攻击代码分析
///<summary>
/// 处理用户提交的请求
/// </summary>
private void StartProcessRequest()
{
try
{
string getkeys = "";
string sqlErrorPage = "../default.aspx";
//转向的错误提示页面
if (System.Web.HttpContext.Current.Request.QueryString != null)
{
for (int i = 0; i < System.Web.HttpContext.Current.Request.QueryString.Count; i++)
{
getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys[i];
if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys]))
{
System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);
System.Web.HttpContext.Current.Response.End();
}
}
}
if (System.Web.HttpContext.Current.Request.Form != null)
{
for (int i = 0; i < System.Web.HttpContext.Current.Request.Form.Count; i++)
{
getkeys = System.Web.HttpContext.Current.Request.Form.Keys[i];
if (getkeys == "__VIEWSTATE") continue;
if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys]))
{
System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);
System.Web.HttpContext.Current.Response.End();
}
}
}
}
catch
{
// 错误处理: 处理用户提交信息!
}
}
///<summary>
/// 分析用户请求是否正常
/// </summary>
///<param name="Str">传入用户提交数据 </param>
///<returns>返回是否含有SQL注入式攻击代码 </returns>
private bool ProcessSqlStr(string Str)
{
bool ReturnValue = true;
try
{
if (Str.Trim() != "")
{
string SqlStr = "and |exec |insert |select |delete |update |count |* |chr|mid |master |truncate |char |declare";
string[] anySqlStr = SqlStr.Split('|');
foreach (string ss in anySqlStr)
{
if (Str.ToLower().IndexOf(ss) >= 0)
{ ReturnValue = false; break; }
}
}
}
catch { ReturnValue = false; } return ReturnValue;
}
#endregion
</script>
