using System;
namespace web.comm
{
/**//// <summary>
/// ProcessRequest 的摘要說明。
/// </summary>
public class ProcessRequest
public ProcessRequest()
//
// TODO: 在此處添加構造函數邏輯
}
SQL注入式攻擊代碼分析#region SQL注入式攻擊代碼分析
/**//// <summary>
/// 處理使用者送出的請求
/// </summary>
public static void StartProcessRequest()
// System.Web.HttpContext.Current.Response.Write("<script>alert('dddd');</script>");
try
string getkeys = "";
//string sqlErrorPage = System.Configuration.ConfigurationSettings.AppSettings["CustomErrorPage"].ToString();
if (System.Web.HttpContext.Current.Request.QueryString != null)
for(int i=0;i<System.Web.HttpContext.Current.Request.QueryString.Count;i++)
getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys[i];
if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys],0))
//System.Web.HttpContext.Current.Response.Redirect (sqlErrorPage+"?errmsg=sqlserver&sqlprocess=true");
System.Web.HttpContext.Current.Response.Write("<script>alert('請勿非法送出!');history.back();</script>");
System.Web.HttpContext.Current.Response.End();
}
}
}
if (System.Web.HttpContext.Current.Request.Form != null)
for(int i=0;i<System.Web.HttpContext.Current.Request.Form.Count;i++)
getkeys = System.Web.HttpContext.Current.Request.Form.Keys[i];
if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys],1))
}
catch
// 錯誤處理: 處理使用者送出資訊!
/// 分析使用者請求是否正常
/// <param name="Str">傳入使用者送出資料</param>
/// <returns>傳回是否含有SQL注入式攻擊代碼</returns>
private static bool ProcessSqlStr(string Str,int type)
string SqlStr;
if(type == 1)
SqlStr = "exec |insert |select |delete |update |count |chr |mid |master |truncate |char |declare ";
else
SqlStr = "'|and|exec|insert|select|delete|update|count|*|chr|mid|master|truncate|char|declare";
bool ReturnValue = true;
if (Str != "")
string[] anySqlStr = SqlStr.Split('|');
foreach (string ss in anySqlStr)
if (Str.IndexOf(ss)>=0)
ReturnValue = false;
ReturnValue = false;
return ReturnValue;
#endregion
}
}