1.防止sql注入
/// <summary>
/// 分析用户请求是否正常
/// </summary>
/// <param name="Str">传入用户提交数据</param>
/// <returns>返回是否含有SQL注入式攻击代码</returns>
///
private bool ProcessSqlStr(string Str)
{
bool ReturnValue = true;
try
{
if (!string.IsNullOrWhiteSpace(Str))
{
Str = Str.Replace("/*", "");
Str = Str.Replace("*/", "");
Str = Str.ToLower();
string SqlStr = "and |exec |insert |select |delete |update |count | * |chr |mid |master |truncate |char |declare ";
string[] anySqlStr = SqlStr.Split('|');
foreach (string ss in anySqlStr)
{
if (Str.IndexOf(ss) >= )
{
ReturnValue = false;
}
}
}
}
catch
{
ReturnValue = false;
}
return ReturnValue;
}
2.防止xss注入
private bool ProcessXSSStr(string Str)
{
bool ReturnValue = true;
try
{
if (!string.IsNullOrWhiteSpace(Str))
{
Str = Str.Replace("/*", "");
Str = Str.Replace("*/", "");
Str = Str.ToLower();
string[] anyXSSStr = {"javascript", "vbscript", "script","alert(","expression("
,"onabort", "onactivate", "onafterprint", "onafterupdate", "onbeforeactivate", "onbeforecopy", "onbeforecut", "onbeforedeactivate", "onbeforeeditfocus", "onbeforepaste", "onbeforeprint", "onbeforeunload", "onbeforeupdate", "onblur",
"onbounce", "oncellchange", "onchange", "onclick", "oncontextmenu", "oncontrolselect", "oncopy", "oncut", "ondataavailable", "ondatasetchanged", "ondatasetcomplete", "ondblclick", "ondeactivate", "ondrag", "ondragend", "ondragenter",
"ondragleave", "ondragover", "ondragstart", "ondrop", "onerror", "onerrorupdate", "onfilterchange", "onfinish", "onfocus", "onfocusin", "onfocusout", "onhelp", "onkeydown", "onkeypress", "onkeyup", "onlayoutcomplete", "onload",
"onlosecapture", "onmousedown", "onmouseenter", "onmouseleave", "onmousemove", "onmouseout", "onmouseover", "onmouseup", "onmousewheel", "onmove", "onmoveend", "onmovestart", "onpaste", "onpropertychange", "onreadystatechange",
"onreset", "onresize", "onresizeend", "onresizestart", "onrowenter", "onrowexit", "onrowsdelete", "onrowsinserted", "onscroll", "onselect", "onselectionchange", "onselectstart", "onstart", "onstop", "onsubmit", "onunload"};
foreach (string ss in anyXSSStr)
{
if (Str.IndexOf(ss) >= )
{
ReturnValue = false;
}
}
}
}
catch
{
ReturnValue = false;
}
return ReturnValue;
}
3.对http请求进行拦截处理,上下文根据程序进行修改
public System.Web.Mvc.ActionResult Execute(Page_Context pageViewContext, PagePositionContext positionContext)
{
if (pageViewContext.ControllerContext.HttpContext.Request.Form != null)
{
for (int i = ; i < pageViewContext.ControllerContext.HttpContext.Request.Form.Keys.Count; i++)
{
string getkeys = pageViewContext.ControllerContext.HttpContext.Request.Form.Keys[i];
string str = pageViewContext.ControllerContext.HttpContext.Request.Form[getkeys];
if (!ProcessSqlStr(str))
{
pageViewContext.ControllerContext.HttpContext.Response.Redirect("~/safe_error");
pageViewContext.ControllerContext.HttpContext.Response.End();
}
}
} if (pageViewContext.ControllerContext.HttpContext.Request.QueryString != null)
{
string url = pageViewContext.ControllerContext.HttpContext.Request.Url.AbsoluteUri; if (!ProcessXSSStr(url))
{
pageViewContext.ControllerContext.HttpContext.Response.Redirect("~/safe_error");
pageViewContext.ControllerContext.HttpContext.Response.End();
} for (int i = ; i < pageViewContext.ControllerContext.HttpContext.Request.QueryString.Count; i++)
{
string getkeys = pageViewContext.ControllerContext.HttpContext.Request.QueryString.Keys[i]; string str = pageViewContext.ControllerContext.HttpContext.Request.Form[getkeys]; if (!ProcessXSSStr(getkeys))
{
pageViewContext.ControllerContext.HttpContext.Response.Redirect("~/safe_error");
pageViewContext.ControllerContext.HttpContext.Response.End();
} if (!ProcessSqlStr(str))
{
pageViewContext.ControllerContext.HttpContext.Response.Redirect("~/safe_error");
pageViewContext.ControllerContext.HttpContext.Response.End();
} }
}
return null;
}
其他方法:
antixss: http://www.cnblogs.com/coderzh/archive/2010/06/24/1764725.html
https://msdn.microsoft.com/en-us/library/aa973813.aspx