asp.net use HttpModule for anti sql injection and loading styles and JS files

Language 2019-06-25 10:21:20 views: null
1, a new class that implements the interface IHttpModule
code show as below: 
public class SqlHttpModule : IHttpModule 
{ 
public void Dispose() 
{ 
} 
public void Init(HttpApplication context) 
{ 
context.AcquireRequestState += new EventHandler(context_AcquireRequestState); 
} 
}

 

In implementing the Init method interface, we chose AcquireRequestState event, why not Begin_Request incident? This is because the session we could use at the time of treatment, and when Begin_Request event execution has not been loaded session state (about HttpModule can refer to this one).
2, the site of the data submitted for processing
(1), GET way
the code
Copy the code code is as follows:

// url submission of data get way 
if (context.Request.QueryString != null) 
{ 
for (int i = 0; i < context.Request.QueryString.Count; i++) 
{ 
key = context.Request.QueryString.Keys[i]; 
value = context.Server.UrlDecode(context.Request.QueryString[key]); 
if (!FilterSql(value)) 
{ 
throw new Exception("QueryString(GET) including dangerous sql key word!"); 
} 
} 
}

 


(2), POST mode
codes
Copy the code code is as follows:

// form submission data post fashion 
if (context.Request.Form != null) 
{ 
for (int i = 0; i < context.Request.Form.Count; i++) 
{ 
key = context.Request.Form.Keys[i]; 
if (key == "__VIEWSTATE") continue; 
value = context.Server.HtmlDecode(context.Request.Form[i]); 
if (!FilterSql(value)) 
{ 
throw new Exception("Request.Form(POST) including dangerous sql key word!"); 
} 
} 
}

 


Complete code:
Code
Copy the code code is as follows: 
using System; 
using System.Collections.Generic; 
using System.Linq; 
using System.Web; 
using System.Web.UI; 
using System.Web.UI.WebControls; 
using System.Text; 
namespace DotNet.Common.WebForm 
{ 
/// <summary> 
/// 简单防止sql注入 
/// </summary> 
public class SqlHttpModule : IHttpModule 
{ 
public void Dispose() 
{ 
} 
public void Init(HttpApplication context) 
{ 
context.AcquireRequestState += new EventHandler(context_AcquireRequestState); 
} 
/// <summary> 
/// 处理sql注入 
/// </summary> 
/// <param name="sender"></param> 
/// <param name="e"></param> 
private void context_AcquireRequestState(object sender, EventArgs e) 
{ 
HttpContext context = ((HttpApplication)sender).Context; 
try 
{ 
string key = string.Empty; 
string value = string.Empty; 
//url提交数据 get方式 
if (context.Request.QueryString != null) 
{ 
for (int i = 0; i < context.Request.QueryString.Count; i++) 
{ 
key = context.Request.QueryString.Keys[i]; 
value = context.Server.UrlDecode(context.Request.QueryString[key]); 
if (!FilterSql(value)) 
{ 
throw new Exception("QueryString(GET) including dangerous sql key word!"); 
} 
} 
} 
//表单提交数据 post方式 
if (context.Request.Form != null) 
{ 
for (int i = 0; i < context.Request.Form.Count; i++) 
{ 
key = context.Request.Form.Keys[i]; 
if (key == "__VIEWSTATE") continue; 
value = context.Server.HtmlDecode(context.Request.Form[i]); 
if (!FilterSql(value)) 
{ 
throw new Exception("Request.Form(POST) including dangerous sql key word!"); 
} 
} 
} 
} 
catch (Exception ex) 
{ 
throw ex; 
} 
} 
/// <summary> 
/// 过滤非法关键字,这个可以按照项目灵活配置 
/// </summary> 
/// <param name="key"></param> 
/// <returns></returns> 
private bool FilterSql(string key) 
{ 
bool flag = true; 
try 
{ 
if (!string.IsNullOrEmpty(key)) 
{ 
//一般配置在公共的文件中,如xml文件,txt文本等等 
string sqlStr = "insert |delete |select |update |exec |varchar |drop |creat |declare |truncate |cursor |begin |open|<-- |--> "; 
string[] sqlStrArr = sqlStr.Split('|'); 
foreach (string strChild in sqlStrArr) 
{ 
if (key.ToUpper().IndexOf(strChild.ToUpper()) != -1) 
{ 
flag = false; 
break; 
} 
} 
} 
} 
catch 
{ 
flag = false; 
} 
return flag; 
} 
} 
}

 

3, the application in a web project
as long as the configuration to add the following in the web.config httpModules node.
<the httpModules>
<the Add name = "SqlHttpModule" type = "DotNet.Common.WebForm.SqlHttpModule, DotNet.Common.WebForm"> </ the Add>
</ the httpModules>
It should be noted that this method of preventing sql injection in particular small projects is still very simple and efficient, but not universal, we are usually selected parametric (or use parameterized orm ado.net's) way to prevent sql injection.
Attached: asp.net introduced js script on the page header easy way
asp.net development aid ultimately JavaScript. In a typical project, js files are organizations such as the js folder in a public directory. With the deepening of the project, you will find more and more js script file, the pace of public libraries increasingly large. When in actual use, we are usually in the form of introduction pages js file, and the introduction of more and more by <\ script src = "..." type = "text / javascript">. Here we have to discuss the introduction of a unified simple way libraries public script in each page, instead of each page are a lot of <\ script src = "..." type = "text / javascript"> form.
And our previous practice, the definition of a page base class called BasePage, events and methods are as follows:
Code
Copy the code code is as follows: 

using System; 
using System.Data; 
using System.Configuration; 
using System.Collections.Generic; 
using System.Web; 
using System.Web.Security; 
using System.Web.UI; 
using System.Web.UI.WebControls; 
using System.Web.UI.WebControls.WebParts; 
using System.Web.UI.HtmlControls; 
using System.Reflection; 
using System.Text; 
using System.IO; 
namespace DotNet.Common.WebForm 
{ 
using DotNet.Common.Model; 
using DotNet.Common.Util; 
public class BasePage : System.Web.UI.Page 
{ 
public BasePage() 
{ 
} 
protected override void OnInit(EventArgs e) 
{ 
base.OnInit(e); 
AddHeaderJs();//向网页头部添加js等文件 
} 
#region 网页头添加通用统一js文件 
private void AddHeaderJs() 
{ 
string jsPath = "~/js/"; 
string filePath = Server.MapPath(jsPath); 
Literal lit = new Literal(); 
StringBuilder sb = new StringBuilder(); 
if (!Directory.Exists(filePath)) 
throw new Exception("路径不存在"); 
List<string> listJs = new List<string>(); 
foreach (var item in Directory.GetFiles(filePath, "*.js", SearchOption.TopDirectoryOnly)) 
{ 
listJs.Add(Path.GetFileName(item)); 
} 
foreach (var jsname in listJs) 
{ 
sb.Append(ScriptInclude(jsPath + jsname)); 
} 
lit.Text = sb.ToString(); 
Header.Controls.AddAt(1, lit); 
} 
private string ResolveHeaderUrl(string relativeUrl) 
{ 
string url = null; 
if (string.IsNullOrEmpty(relativeUrl)) 
{ 
url = string.Empty; 
} 
else if (!relativeUrl.StartsWith("~")) 
{ 
url = relativeUrl; 
} 
else 
{ 
var basePath = HttpContext.Current.Request.ApplicationPath; 
url = basePath + relativeUrl.Substring(1); 
url = url.Replace("//", "/"); 
} 
return url; 
} 
private string ScriptInclude(string url) 
{ 
if (string.IsNullOrEmpty(url)) 
throw new Exception("路径不存在"); 
string path = ResolveHeaderUrl(url); 
return string.Format(@"<script src='{0}' type='text/javascript'></script>", path); 
} 
#endregion 
} 
}

 


This simple solution to the problem of introducing the public js. The same principle, you can also introduce other types of files, such as css and so on.

Reproduced in: https: //www.cnblogs.com/Alenliu/p/4937797.html

Guess you like

Origin blog.csdn.net/weixin_34321977/article/details/93470058
Recommended
Ranking
A quick primer on numpy basics
Two sister tease python project
Java | Multiple keywords in the replacement content are returned to the front end in red style
C ++: references
The string leetcood 1018 is a binary prefix divisible by 5
Flutter 布局组件
Java combat spingboot-redis
PMP pre-exam sprint and wrong questions sorting
ActiveMq C# Message Features: Delayed and Timed Message Delivery
DSP28377S_ copy a program from the RAM to FLASH portion DETAILS
Daily
More
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)

Code World

© 2018 codetd.com