.net全站过滤url危险参数，防注入

在global文件中添加如下代码：



void Application_BeginRequest(object sender, EventArgs e)

{

//遍历Post参数，隐藏域除外

if (Regex.IsMatch(Request.RawUrl.ToLower(), @"/manager/")==false)

for (int i=0; i < Request.Form.Count;i++)

{

if (Request.Form[i].ToString() == "__VIEWSTATE") continue;

if (IsDanger(Request.Form[i].ToString()))

{

Response.Write("您提交的内容中含有非法字符,已经被拒绝.");

Response.End();

}

}

//过滤所有Url中的危险字符串

if (Request.QueryString.Count > 0 && Regex.IsMatch(Request.RawUrl.ToLower(), @"/.aspx") == true && Regex.IsMatch(Request.RawUrl.ToLower(), @"fckeditor") == false)//如果防止截获fckeditor正常的Url，必须验证".aspx"

{

string Temp = "";

//string Url = Request.Url.AbsoluteUri.Substring(0, Request.Url.AbsoluteUri.LastIndexOf("?"));

string Url = Request.RawUrl.Substring(0, Request.RawUrl.LastIndexOf("?"));

for (int i = 0; i < this.Request.QueryString.Count; i++)

{

try

{

Temp = HandleRequestParam(this.Request.QueryString[i].ToString());

Url += i == 0 ? "?" : "&";

Url += Request.QueryString.Keys[i].ToString() + "=" + Temp;

}

catch { }

}

//if (Url.Length < Request.Url.AbsoluteUri.Length)

// Response.Redirect(Url);

Context.RewritePath(Url);//可以用Response.Redirect和Context.RewritePath

}

//全站防止页面缓存

Response.Buffer = true;

Response.ExpiresAbsolute = DateTime.Now.AddSeconds(-1);

Response.Expires = 0;

Response.CacheControl = "no-cache";

}

protected string HandleRequestParam(string str)

{

string RetStr = "";

char[] strC = str.ToLower().ToCharArray();

for (int i = 0; i < strC.Length; i++)

{

if (Convert.ToInt32(strC[i]) >= 48 && Convert.ToInt32(strC[i]) <= 57)

RetStr += strC[i].ToString();

else

break;

}

return RetStr;

}

protected bool IsDanger(string InText)

{

string word = @"exec|insert|select|delete|update|master|truncate|char|declare|join|iframe|href|script|<|>|request";

if (InText == null)

return false;

if (Regex.IsMatch(InText,word))

return true;

return false;

}