출처 : http://forums.asp.net/t/1254125.aspx
를 보면 ASP.NET 1.1이냐 2.0 이냐에 따라 각각 이렇게 하라고 한다. 아직은 난 web.config가 익숙치 않아서 그런지 1.1 방식으로 하면 잘 되는데 2.0 방식으로는 잘 안된다. -_-
ASP.NET 1.1 C#
global.asax
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
using System.Globalization; //Defines the set of characters that will be checked. //You can add to this list, or remove items from this list, as appropriate for your site public static string[] blackList = { "--", ";--", ";", "/*", "*/", "@@", "@", "char", "nchar", "varchar", "nvarchar", "alter", "begin", "cast", "create", "cursor", "declare", "delete", "drop", "end", "exec", "execute", "fetch", "insert", "kill", "open", "select", "sys", "sysobjects", "syscolumns", "table", "update" }; //The utility method that performs the blacklist comparisons //You can change the error handling, and error redirect location to whatever makes sense for your site. private void CheckInput(string parameter) { CompareInfo comparer = CultureInfo.InvariantCulture.CompareInfo; for (int i = 0; i < blackList.Length; i++) { if (comparer.IndexOf(parameter, blackList[i], CompareOptions.IgnoreCase) >= 0) { // //Handle the discovery of suspicious Sql characters here // Response.Redirect("~/Error.aspx"); //generic error page on your site } } } void Application_BeginRequest(object sender, EventArgs e) { foreach(string key in Request.QueryString) CheckInput(Request.QueryString[key]); foreach(string key in Request.Form) CheckInput(Request.Form[key]); foreach(string key in Request.Cookies) CheckInput(Request.Cookies[key].Value); } |
ASP.NET 2.0 C#
App_Code/SampleSqlInjectionScreeningModule.cs
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 |
using System; using System.Data; using System.Configuration; using System.Linq; using System.Web; using System.Web.Security; using System.Web.UI; using System.Web.UI.HtmlControls; using System.Web.UI.WebControls; using System.Web.UI.WebControls.WebParts; using System.Xml.Linq; namespace Sample { public class SampleSqlInjectionScreeningModuleCS: IHttpModule { //Defines the set of characters that will be checked. //You can add to this list, or remove items from this list, as appropriate for your site public static string[] blackList = { "--", ";--", ";", "/*", "*/", "@@", "@", "char", "nchar", "varchar", "nvarchar", "alter", "begin", "cast", "create", "cursor", "declare", "delete", "drop", "end", "exec", "execute", "fetch", "insert", "kill", "open", "select", "sys", "sysobjects", "syscolumns", "table", "update" }; public void Dispose() { //no-op } //Tells ASP.NET that there is code to run during BeginRequest public void Init(HttpApplication app) { app.BeginRequest += new EventHandler(app_BeginRequest); } //For each incoming request, check the query-string, form and cookie values for suspicious values. void app_BeginRequest(object sender, EventArgs e) { HttpRequest Request = (sender as HttpApplication).Context.Request; foreach(string key in Request.QueryString) CheckInput(Request.QueryString[key]); foreach(string key in Request.Form) CheckInput(Request.Form[key]); foreach(string key in Request.Cookies) CheckInput(Request.Cookies[key].Value); } //The utility method that performs the blacklist comparisons //You can change the error handling, and error redirect location to whatever makes sense for your site. private void CheckInput(string parameter) { for (int i = 0; i < blackList.Length; i++) { if ((parameter.IndexOf(blackList[i], StringComparison.OrdinalIgnoreCase) >= 0)) { // //Handle the discovery of suspicious Sql characters here // HttpContext.Current.Response.Redirect("~/Error.aspx"); //generic error page on your site } } } } } |