.NET网站请求过滤验证防恶意字符

1、Global.asax文件加入判断代码

void Application_BeginRequest(object sender, EventArgs e)
{
    string q = "<div style='position:fixed;top:0px;width:100%;height:100%;background-color:white;color:green;font-weight:bold;border-bottom:5px solid #999;'><br>您的提交带有不合法参数,谢谢合作!<br><br>了解更多请点击:<a href='https://www.masoft.cn'>智汇科技</a></div>";
    if (Request.Cookies != null)
    {
        if (WebSafe.CookieData())
        {
            Response.Write("您提交的Cookie数据有恶意字符!");
            Response.End();
        }
    }
    if (Request.UrlReferrer != null)
    {
        if (WebSafe.referer())
        {
            Response.Write("您提交的Referrer数据有恶意字符!");
            Response.End();
        }
    }
    if (Request.RequestType.ToUpper() == "POST")
    {
        if (WebSafe.PostData())
        {
            Response.Write("您提交的Post数据有恶意字符!");
            Response.End();
        }
    }
    if (Request.RequestType.ToUpper() == "GET")
    {
        if (WebSafe.GetData())
        {
            Response.Write("您提交的Get数据有恶意字符!");
            Response.End();
        }
    }
}


2、附请求过滤验证防恶意字符类库

using System.Text.RegularExpressions;
using System.Web;

namespace Als.Utils.Net
{
    public class WebSafe
    {
        /// <summary>
        /// 过滤字符
        /// </summary>
        private const string StrRegex = @"^\+/v(8|9)|\b(and|or)\b.{1,6}?(=|>|<|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|<\s*img\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)";

        /// <summary>
        /// POST请求验证
        /// </summary>
        /// <returns></returns>
        public static bool PostData()
        {
            var result = false;
            for (var i = 0; i < HttpContext.Current.Request.Form.Count; i++)
            {
                result = CheckData(HttpContext.Current.Request.Form[i]);
                if (result)
                {
                    break;
                }
            }
            return result;
        }

        /// <summary>
        /// GET请求验证
        /// </summary>
        /// <returns></returns>
        public static bool GetData()
        {
            var result = false;
            for (var i = 0; i < HttpContext.Current.Request.QueryString.Count; i++)
            {
                result = CheckData(HttpContext.Current.Request.QueryString[i]);
                if (result)
                {
                    break;
                }
            }
            return result;
        }

        /// <summary>
        /// 请求COOKIE验证
        /// </summary>
        /// <returns></returns>
        public static bool CookieData()
        {
            var result = false;
            for (var i = 0; i < HttpContext.Current.Request.Cookies.Count; i++)
            {
                result = CheckData(HttpContext.Current.Request.Cookies[i]?.Value.ToLower());
                if (result)
                {
                    break;
                }
            }
            return result;

        }

        /// <summary>
        /// 请求Referer验证
        /// </summary>
        /// <returns></returns>
        public static bool Referer()
        {
            return HttpContext.Current.Request.UrlReferrer != null && CheckData(HttpContext.Current.Request.UrlReferrer.ToString());
        }

        /// <summary>
        /// 字符验证
        /// </summary>
        /// <param name="inputData"></param>
        /// <returns></returns>
        public static bool CheckData(string inputData)
        {
            return Regex.IsMatch(inputData, StrRegex);
        }
    }
}


本文标题:.NET网站请求过滤验证防恶意字符
本文链接:https://masoft.cn/post/74.html
作者授权:除特别说明外,本文由 智汇软件 原创编译并授权 智汇科技 刊载发布。
版权声明:本文使用「署名-禁止演绎 4.0 国际」创作共享协议,转载或使用请遵守署名协议。

本文 暂无 评论

Top

分享:

支付宝

微信