在Global.asax文件里实现通用防SQL注入破绽程序

using System;using System.Collections.Generic;using System.Linq;using System.Web;using System.Text.RegularExpressions; /// <summary>///SQLInjectionHelper 的摘要说明/// </summary>public class SQLInjectionHelper{    /// <summary>    /// 获取Post的数据    /// </summary>    /// <param name="request"></param>    /// <returns></returns>    public static bool ValidUrlData(string request)    {        bool result = false;        if (request == "POST")        {            for (int i = 0; i < HttpContext.Current.Request.Form.Count; i++)            {                result = ValidData(HttpContext.Current.Request.Form[i].ToString());                if (result)                {                    break;                }            }        }        else        {            for (int i = 0; i < HttpContext.Current.Request.QueryString.Count; i++)            {                result = ValidData(HttpContext.Current.Request.QueryString[i].ToString());                if (result)                {                    break;                }            }        }        return result;    }     /// <summary>    /// 验证是否存在注入代码    /// </summary>    /// <param name="inputData"></param>    /// <returns></returns>    private static bool ValidData(string inputData)    {        //验证inputData是否包含恶意集合        if (Regex.IsMatch(inputData, GetRegexString()))        {            return true;        }        else        {            return false;        }    }     /// <summary>    /// 获取正则表达式    /// </summary>    /// <returns></returns>    private static string GetRegexString()    {        //构造SQL的注入关键字符        string[] strChar = { "and", "exec", "insert", "select", "update", "delete", "count", "from", "drop", "asc", "or", "char", "%", ";", ":", "\'", "\"", "-", "chr", "master", "mid", "truncate", "declare", "char", "SiteName", "/add", "xp_cmdshell", "net user", "net localgroup administrators", "exec master.dbo.xp_cmdshell" };        string str_Regex = ".*(";        for (int i = 0; i < strChar.Length - 1; i++)        {            str_Regex += strChar[i] + "|";        }        str_Regex += strChar[strChar.Length - 1] + ").*";        return str_Regex;    }}

protected void Application_BeginRequest(object sender, EventArgs e)    {        bool result = false;        result = SQLInjectionHelper.ValidUrlData(Request.RequestType.ToUpper());        if (result)        {            Response.Write("您提交的数据有恶意字符");            Response.End();        }    }

<%@ Page Language="C#" AutoEventWireup="true" CodeFile="Default.aspx.cs" Inherits="_Default" %> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head runat="server">    <title></title></head><body>    <form id="form1" runat="server">    <div>           <asp:TextBox ID="TextBox1" runat="server"></asp:TextBox>        <br />        <asp:Button ID="btnPost" runat="server" Text="获取Post数据"            onclick="btnPost_Click" />       </div>    <asp:Button ID="btnGet" runat="server" Text="获取Get数据" onclick="btnGet_Click" />    </form></body></html>

protected void btnPost_Click(object sender, EventArgs e)    {     }    protected void btnGet_Click(object sender, EventArgs e)    {        Response.Redirect("Default.aspx?a=1&b=2&c=3");    }