5: { 6: //检测到注入后的处理方式: 0:仅警告;1:警告+记录;2:警告+自定义错误页面;3:警告+记录+自定义错误页面
7: private const int _type = 0;
8: private const string errRedirectPage = “/err.aspx”;
9:
10: //如果记录注入信息,那么请设置:errMDBpath:数据库路径
11: private const string errMDBpath = “/SqlInject.mdb”;
12:
13:
14: //过滤特征字符
15: //过滤特征字符
16: private static string StrKeyWord = ConfigurationManager.AppSettings[“SqlKeyWord”]; //@”select|insert|delete|from|count(|drop table|update|truncate|asc(|mid(|char(|xp_cmdshell|exec|master|net local group administrators|net user|or|and”;
17: private static string StrRegex = ConfigurationManager.AppSettings[“SqlRegex”]; //@”;|/|(|)|[|]|{|}|%|@|*|’|!”; // 原始过滤条件:【-|;|,|/|(|)|[|]|{|}|%|@|*|’|!】 18:
19: private HttpRequest request;
20: public SqlInject(System.Web.HttpRequest _request)
21: { 22: this.request = _request;
23: }
24: ///<summary>
25: ///检测SQL注入及记录、显示出错信息
26: ///</summary>
27: public void CheckSqlInject()
28: { 29: bool isInject = false;
30: if (CheckRequestQuery() || CheckRequestForm())
31: { 32: isInject = true;
33: }
34: else
35: { 36: return;
37: }
38:
39: switch (_type)
40: { 41: case 0:
42: ShowErr();
43: break;
44: case 1:
45: ShowErr();
46: SaveToMdb();
47: break;
48: case 2:
49: ShowErr();
50: string temp;
51: System.Web.HttpContext.Current.Response.Write(“<script>setTimeout(”” + “location.href='” + errRedirectPage + “‘” + “”,5000)</script>”);
52: break;
53: case 3:
54: ShowErr();
55: SaveToMdb();
56: System.Web.HttpContext.Current.Response.Write(“<script>setTimeout(”” + “location.href='” + errRedirectPage + “‘” + “”,5000)</script>”);
57: break;
58: default:
59: break;
60: }
61: System.Web.HttpContext.Current.Response.End();
62:
63: }
64: private void SaveToMdb()
65: { 66: OleDbConnection conn = new OleDbConnection(“Provider=Microsoft.JET.OLEDB.4.0;Data Source=” + Server.MapPath(errMDBpath));
