免费网站在哪下载,电子商务网站建设实训需求分析,东营区综合频道在线直播观看,网站百度不到验证码怎么办啊问题背景#xff1a;由于公司需要整改的老系统的漏洞检查#xff0c;而系统就是没有使用参数化SQL即拼接查询语句开发的程序#xff0c;导致漏洞扫描出现大量SQL注入问题。
解决方法#xff1a;最好的办法就是不写拼接SQL#xff0c;改用参数化SQL#xff0c;推荐新项目…问题背景由于公司需要整改的老系统的漏洞检查而系统就是没有使用参数化SQL即拼接查询语句开发的程序导致漏洞扫描出现大量SQL注入问题。
解决方法最好的办法就是不写拼接SQL改用参数化SQL推荐新项目使用老项目改起来比较麻烦花费的时间也多最后选择用全局SQL过滤器过滤前端发送的请求内容。
代码
/// summary/// 防止输入参数sql注入Post Get Cookies/// /summarypublic class SqlFilter : ActionFilterAttribute{private const string FilterSql execute,exec,select,insert,update,delete,create,drop,alter,exists,table,sysobjects,truncate,union,and,order,xor,or,mid,cast,where,asc,desc,xp_cmdshell,join,declare,nvarchar,varchar,char,sp_oacreate,wscript.shell,xp_regwrite,,%,;,--;public override void OnActionExecuting(ActionExecutingContext filterContext){// -----------------------防 Post 注入-----------------------if (filterContext.HttpContext.Request.Form ! null){var isReadonly typeof(System.Collections.Specialized.NameValueCollection).GetProperty(IsReadOnly, BindingFlags.Instance | BindingFlags.NonPublic);//把 Form 属性改为可读写isReadonly?.SetValue(filterContext.HttpContext.Request.Form, false, null);for (var k 0; k filterContext.HttpContext.Request.Form.Count; k){var inputKey filterContext.HttpContext.Request.Form.Keys[k];var inputValue filterContext.HttpContext.Request.Form[inputKey];var filters FilterSql.Split(,);inputValue filters.Aggregate(inputValue, (current, filterSql) Regex.Replace(current, filterSql, , RegexOptions.IgnoreCase));filterContext.HttpContext.Request.Form[inputKey] inputValue;}}// -----------------------防 GET 注入-----------------------if (filterContext.HttpContext.Request.QueryString ! null){var isReadonly typeof(System.Collections.Specialized.NameValueCollection).GetProperty(IsReadOnly, BindingFlags.Instance | BindingFlags.NonPublic);//把 QueryString 属性改为可读写isReadonly?.SetValue(filterContext.HttpContext.Request.QueryString, false, null);for (var k 0; k filterContext.HttpContext.Request.QueryString.Count; k){var inputKey filterContext.HttpContext.Request.QueryString.Keys[k];var inputValue filterContext.HttpContext.Request.QueryString[inputKey];var filters FilterSql.Split(,);inputValue filters.Aggregate(inputValue, (current, filterSql) Regex.Replace(current, filterSql, , RegexOptions.IgnoreCase));filterContext.HttpContext.Request.QueryString[inputKey] inputValue;}}// -----------------------防 Cookies 注入-----------------------if (filterContext.HttpContext.Request.Cookies.Count 0){var isReadonly typeof(System.Collections.Specialized.NameValueCollection).GetProperty(IsReadOnly, BindingFlags.Instance | BindingFlags.NonPublic);//把 Cookies 属性改为可读写isReadonly?.SetValue(filterContext.HttpContext.Request.Cookies, false, null);for (var k 0; k filterContext.HttpContext.Request.Cookies.Count; k){var inputKey filterContext.HttpContext.Request.Cookies.Keys[k];var inputValue filterContext.HttpContext.Request.Cookies[inputKey]?.Value;var filters FilterSql.Split(,);inputValue filters.Aggregate(inputValue, (current, filterSql) Regex.Replace(current, filterSql, , RegexOptions.IgnoreCase));if (!(filterContext.HttpContext.Request.Cookies[inputKey] is null)){filterContext.HttpContext.Request.Cookies[inputKey].Value inputValue;}}}base.OnActionExecuting(filterContext);}}
