發現這個代碼使用的HttpModules這個防止MySQL注入的代碼很好嗎?
public class SampleSqlInjectionScreeningModuleCS : IHttpModule
{
//Defines the set of characters that will be checked.
//You can add to this list, or remove items from this list, as appropriate for your site
public static string[] blackList = {"--",";--",";","/*","*/","@@","@",
"char","nchar","varchar","nvarchar",
"alter","begin","cast","create","cursor","declare","delete","drop","end","exec","execute",
"fetch","insert","kill","open",
"select", "sys","sysobjects","syscolumns",
"table","update"};
public void Dispose()
{
//no-op
}
//Tells ASP.NET that there is code to run during BeginRequest
public void Init(HttpApplication app)
{
app.BeginRequest += new EventHandler(app_BeginRequest);
}
//For each incoming request, check the query-string, form and cookie values for suspicious values.
void app_BeginRequest(object sender, EventArgs e)
{
HttpRequest Request = (sender as HttpApplication).Context.Request;
foreach (string key in Request.QueryString)
CheckInput(Request.QueryString[key]);
foreach (string key in Request.Form)
CheckInput(Request.Form[key]);
foreach (string key in Request.Cookies)
CheckInput(Request.Cookies[key].Value);
}
//The utility method that performs the blacklist comparisons
//You can change the error handling, and error redirect location to whatever makes sense for your site.
private void CheckInput(string parameter)
{
for (int i = 0; i < blackList.Length; i++)
{
if ((parameter.IndexOf(blackList[i], StringComparison.OrdinalIgnoreCase) >= 0))
{
//
//Handle the discovery of suspicious Sql characters here
//
HttpContext.Current.Response.Redirect("~/About.aspx"); //generic error page on your site
}
}
}
}
這是一個好的代碼或者你認爲我需要添加更多的東西在黑名單中,或忘了這一點,並嘗試另一種方法,以防止注射防止一些基本的MySQL注射?
你應該檢查出http://codereview.stackexchange.com –
忘記這種做法,你可能會阻止有效的內容。驗證適當類型的輸入,然後查看參數化查詢。 –
爲什麼不爲你的SQL查詢使用參數,而不用擔心? – Bridge