防止SQL注入的ASP.NET方法实例解析

void Application_BeginRequest(object sender, EventArgs e)

{

    bool result = false;

    if (Request.RequestType.ToUpper() == "POST")

    {

       //post方式的我就不写了。

    }

    else

    {

      result = ValidUrlGetData();

    }

    if (result)

    {

      Response.Write("您提交的数据有恶意字符！");

      Response.End();

    }

}

/// <summary>

/// 获取QueryString中的数据

/// </summary>

public static bool ValidUrlGetData()

{

    bool result = false;

    for (int i = 0; i < HttpContext.Current.Request.QueryString.Count; i++)

    {

      result = Validate(HttpContext.Current.Request.QueryString[i].ToString());

      if (result)

      {

        break;

      }//如果检测存在漏洞

    }

    return result;

}

public static string []strs = new string[] {"select","drop","exists","exec","insert","delete","update","and","or","user" };//此处我随便加了几个，大家可以多加点哈。

public static bool Validate(string str)

{

    for (int i = 0; i < strs.Length; i++)

    {

      if (str.IndexOf(strs[i]) != -1)

      {

        return true;

        break;

      }

    }

    return false;

}