sql注入问题
sql注入有几中方式啊 除了在地址栏直接输入sql还有哪些呢 一般情况下sql注入是以为get为主还是以post为主?sql注入怎么防止注入大量的js? 一下代码防止sql注入有哪些不足?
HttpApplication application = (HttpApplication)source;
HttpContext context = application.Context;
HttpRequest Request = context.Request;
//context.Response.Write("<h1><font color=red>Test: Beginning of Request</font></h1><hr>");
// 过滤字符串
char charzero='\0';
string zero = charzero.ToString();
string strFilter = @"[\S|\s]*[\s|;| |" + zero + @"][and|update|select|exec|insert|delete|declare|truncate]+[\s|;| |" + zero + @"][\S|\s]*";
strFilter += @",[\S|\s]'[\s\s|;| |" + zero + @"][or|and]+[\s|;| |" + zero + @"][\S|\s]*";
string alttxt="and|update|select|exec|insert|delete|declare|truncate";
// 分割后的过滤字符串数组
string[] strf;
strf = strFilter.Split(',');
String Str=Request.AppRelativeCurrentExecutionFilePath;
if (Str.Trim() != "" && !Str.Trim().Contains("/Admin/") && !Str.Trim().Contains("/admin/"))
{
if (Request.RequestType == "GET")
{
#region 过滤GET方式参数
foreach (string strTemp1 in Request.QueryString)
{
if (IsUploadRequest(Request)) break;
foreach (string strTemp2 in strf)
{
Regex r = new Regex(strTemp2);
if (r.IsMatch(Request.QueryString[strTemp1].ToLower()))
{
context.Response.Write("<hr><h1><font color=red>URL地址错误,请从正确地址进入.</font></h1>");
context.Response.End();
}
}
}
#endregion
}
else if (Request.RequestType == "POST")
{
#region 过滤POST方式参数
foreach (string strTemp1 in Request.Form)
{
if (IsUploadRequest(Request)) break;
foreach (string strTemp2 in strf)
{
Regex r = new Regex(strTemp2);
if (strTemp1.ToLower() == "__viewstate") continue;
if (r.IsMatch(Request.Form[strTemp1].ToLower()))
{
context.Response.Write("<hr><h1><font color=red>表单中包含非法字符</font></h1><Br>请" + alttxt.Replace("|", ",").ToString() + " 等字符转换成全角,或用空格将字符分开<Br>如and改为a nd或者and,update改为u pdate或者update<Br>如果您的帐户密码是上述字符,请联系管理员<Br><a href='javascript:history.back();'>点此返回上一页。</a>");
context.Response.End();
}
}
}
#endregion
}
}