代碼
復(fù)制代碼代碼如下:
public class SqlHttpModule : IHttpModule
{
public void Dispose()
{
}
public void Init(HttpApplication context)
{
context.AcquireRequestState += new EventHandler(context_AcquireRequestState);
}
}
在實(shí)現(xiàn)接口的Init方法時(shí),我們選擇了AcquireRequestState事件,為什么不是Begin_Request事件呢?這是因?yàn)槲覀冊(cè)谔幚淼臅r(shí)候可能用的session,而Begin_Request事件執(zhí)行的時(shí)候還沒有加載session狀態(tài)(關(guān)于HttpModule可以參考這一篇)。
2、對(duì)網(wǎng)站提交的數(shù)據(jù)進(jìn)行處理
(1)、GET方式
代碼
復(fù)制代碼代碼如下:
//url提交數(shù)據(jù) get方式
if (context.Request.QueryString != null)
{
for (int i = 0; i < context.Request.QueryString.Count; i++)
{
key = context.Request.QueryString.Keys[i];
value = context.Server.UrlDecode(context.Request.QueryString[key]);
if (!FilterSql(value))
{
throw new Exception("QueryString(GET) including dangerous sql key word!");
}
}
}
(2)、POST方式
代碼
復(fù)制代碼代碼如下:
//表單提交數(shù)據(jù) post方式
if (context.Request.Form != null)
{
for (int i = 0; i < context.Request.Form.Count; i++)
{
key = context.Request.Form.Keys[i];
if (key == "__VIEWSTATE") continue;
value = context.Server.HtmlDecode(context.Request.Form[i]);
if (!FilterSql(value))
{
throw new Exception("Request.Form(POST) including dangerous sql key word!");
}
}
}
完整代碼:
代碼
復(fù)制代碼代碼如下:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Text;
namespace DotNet.Common.WebForm
{
/// <summary>
/// 簡(jiǎn)單防止sql注入
/// </summary>
public class SqlHttpModule : IHttpModule
{
public void Dispose()
{
}
public void Init(HttpApplication context)
{
context.AcquireRequestState += new EventHandler(context_AcquireRequestState);
}
/// <summary>
/// 處理sql注入
/// </summary>
/// <param name="sender"></param>
/// <param name="e"></param>
private void context_AcquireRequestState(object sender, EventArgs e)
{
HttpContext context = ((HttpApplication)sender).Context;
try
{
string key = string.Empty;
string value = string.Empty;
//url提交數(shù)據(jù) get方式
if (context.Request.QueryString != null)
{
for (int i = 0; i < context.Request.QueryString.Count; i++)
{
key = context.Request.QueryString.Keys[i];
value = context.Server.UrlDecode(context.Request.QueryString[key]);
if (!FilterSql(value))
{
throw new Exception("QueryString(GET) including dangerous sql key word!");
}
}
}
//表單提交數(shù)據(jù) post方式
if (context.Request.Form != null)
{
for (int i = 0; i < context.Request.Form.Count; i++)
{
key = context.Request.Form.Keys[i];
if (key == "__VIEWSTATE") continue;
value = context.Server.HtmlDecode(context.Request.Form[i]);
if (!FilterSql(value))
{
throw new Exception("Request.Form(POST) including dangerous sql key word!");
}
}
}
}
catch (Exception ex)
{
throw ex;
}
}
/// <summary>
/// 過濾非法關(guān)鍵字,這個(gè)可以按照項(xiàng)目靈活配置
/// </summary>
/// <param name="key"></param>
/// <returns></returns>
private bool FilterSql(string key)
{
bool flag = true;
try
{
if (!string.IsNullOrEmpty(key))
{
//一般配置在公共的文件中,如xml文件,txt文本等等
string sqlStr = "insert |delete |select |update |exec |varchar |drop |creat |declare |truncate |cursor |begin |open|<-- |--> ";
string[] sqlStrArr = sqlStr.Split('|');
foreach (string strChild in sqlStrArr)
{
if (key.ToUpper().IndexOf(strChild.ToUpper()) != -1)
{
flag = false;
break;
}
}
}
}
catch
{
flag = false;
}
return flag;
}
}
}
3、在web項(xiàng)目中應(yīng)用
只要在web.config的httpModules節(jié)點(diǎn)下面添加如下配置即可。
<httpModules>
<add name="SqlHttpModule" type="DotNet.Common.WebForm.SqlHttpModule, DotNet.Common.WebForm"></add>
</httpModules>
需要說明的是,這個(gè)防止sql注入的方法在特定的小項(xiàng)目中還是很簡(jiǎn)潔高效的,但是不通用,通常我們都是選擇參數(shù)化(利用orm或者ado.net的參數(shù)化)方式防止sql注入。
附:asp.net在網(wǎng)頁頭部引入js腳本的簡(jiǎn)單方法
asp.net開發(fā)少不了JavaScript的輔助。在通常項(xiàng)目中,js文件都組織在一個(gè)公共目錄如js文件夾下。隨著項(xiàng)目的深入,你會(huì)發(fā)現(xiàn)js腳本文件越來越多,公共的腳步庫越來越龐大。實(shí)際使用的時(shí)候,我們通常都是在頁面中通過 <script src="..." type="text/javascript" >形式引入js文件,而且引入的越來越多。下面我們就來簡(jiǎn)單討論在每個(gè)頁面引入公共腳本庫的統(tǒng)一方式,而不用每個(gè)頁面都是很多<script src="..." type="text/javascript" >的形式。
和我們以前的做法一樣,定義一個(gè)頁面基類叫BasePage,事件和方法如下:
Code
復(fù)制代碼代碼如下:
using System;
using System.Data;
using System.Configuration;
using System.Collections.Generic;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;
using System.Reflection;
using System.Text;
using System.IO;
namespace DotNet.Common.WebForm
{
using DotNet.Common.Model;
using DotNet.Common.Util;
public class BasePage : System.Web.UI.Page
{
public BasePage()
{
}
protected override void OnInit(EventArgs e)
{
base.OnInit(e);
AddHeaderJs();//向網(wǎng)頁頭部添加js等文件
}
#region 網(wǎng)頁頭添加通用統(tǒng)一js文件
private void AddHeaderJs()
{
string jsPath = "~/js/";
string filePath = Server.MapPath(jsPath);
Literal lit = new Literal();
StringBuilder sb = new StringBuilder();
if (!Directory.Exists(filePath))
throw new Exception("路徑不存在");
List<string> listJs = new List<string>();
foreach (var item in Directory.GetFiles(filePath, "*.js", SearchOption.TopDirectoryOnly))
{
listJs.Add(Path.GetFileName(item));
}
foreach (var jsname in listJs)
{
sb.Append(ScriptInclude(jsPath + jsname));
}
lit.Text = sb.ToString();
Header.Controls.AddAt(1, lit);
}
private string ResolveHeaderUrl(string relativeUrl)
{
string url = null;
if (string.IsNullOrEmpty(relativeUrl))
{
url = string.Empty;
}
else if (!relativeUrl.StartsWith("~"))
{
url = relativeUrl;
}
else
{
var basePath = HttpContext.Current.Request.ApplicationPath;
url = basePath + relativeUrl.Substring(1);
url = url.Replace("//", "/");
}
return url;
}
private string ScriptInclude(string url)
{
if (string.IsNullOrEmpty(url))
throw new Exception("路徑不存在");
string path = ResolveHeaderUrl(url);
return string.Format(@"<script src='{0}' type='text/javascript'></script>", path);
}
#endregion
}
}
這樣就簡(jiǎn)單地解決了引入公共js的問題。同樣的原理,你也可以引入其他類型的文件,如css等。
demo下載
