asp.net (c#)檢測sql注入的類

using System;
using System.Data;
using System.Configuration;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;
using Microsoft.VisualBasic;

 

/// <summary>
/// CheckSql 的摘要說明
/// </summary>
public class CheckSql
{
        Base objbase=new Base();
    public string[] N_noarray;
    //private Int16 N_i;
    private string req_Qs, req_F, N_dbstr, N_rs, N_userIP, N_thispage;
    public  System.Web.HttpRequest request;
    public System.Web.HttpResponse response;
   
    public CheckSql()
 {
  //
  // TODO: 在此處添加構造函數邏輯
  //
 }
    public static bool CheckStr(string str)
    {
        string N_no = ";|'|*|%| and |20%and20%| master |20%master20%|exec|insert|select|delete|count|chr|mid|truncate|char|declare";
        string[] N_noarray = N_no.Split(new char[] { '|' });
        for (int i = 0; i < N_noarray.Length; i++)
        {
            if (Strings.InStr(1, str, N_noarray[i], CompareMethod.Text) > 0)
            {
                return false;
            }
        }
        return true;
    }

        public void CheckBadstring()
    {
        N_userIP = request.ServerVariables["REMOTE_ADDR"];
        N_thispage = request.ServerVariables["URL"].ToLower();

        N_check_Qs();
        N_check_form();
      }

        private void N_check_form()
    {
        if (request.Form.Count != 0)
        {
            for(int i=0;i<request.Form.Count;i++)
            {
                if (request.Form[i].Length > 0 && request.Form[i].Length < 30)
                {
                    n_check(req_F, request.Form[i], "POST");
                }
            }
        }
    }

    private void N_check_Qs()
    {
        if( request.QueryString.Count != 0)
        {
            for (int i = 0; i < request.QueryString.Count; i++)
            {
                n_check(req_Qs, request.QueryString[i], "GET");
            }
        }
    }
    private void n_check(string ag, string agsql,string sqltype)
    {
        string N_no = ";|'|*|%| and |20%and20%| master |20%master20%|exec|insert|select|delete|count|chr|mid|truncate|char|declare";
        N_noarray = N_no.Split(new char[] { '|' });
        for (int i = 0; i < N_noarray.Length; i++)
        {
            if (Strings.InStr(1, agsql.ToLower(), N_noarray[i], CompareMethod.Text) > 0)
            {
                N_regsql(ag, agsql, sqltype);               
            }
        }
    }

    private void N_regsql(string ag, string agsql, string sqltype)
    {
        string sql;
        string agsql1=agsql;
        if(agsql.IndexOf("'") > -1)
        {
            agsql1 = agsql.Replace("'", "##") ;//'單引號用##替代
        }

        sql = "insert into SqlIn(Sqlin_IP,Sqlin_Web,Sqlin_Fs,SqlIn_Cs,Sqlin_Sj,Sqlin_date) values ('" + N_userIP + "','" + N_thispage + "','" + sqltype + "','" + ag + "','" + agsql1 + "',getdate())";

        if (sqltype != "OTHER")
        {
            objbase.ExecTransact(sql);
            response.Write("<script> Language=Javascript>alert('請不要在參數中包含非法字符嘗試注入！');</script>");
            response.Write("<span style='font-size:12px'>非法操作！系統做了如下記錄!<br>");
            response.Write("操作IP：" + N_userIP + "<br>");
            response.Write("操作時間：" + DateTime.Now + "<br>");
            response.Write("操作頁面：" + N_thispage + "<br>");
            response.Write("提交方式：" + sqltype + "<br>");
            //response.Write("提交參數：" + ag + "<br>");
            response.Write("提交數據：" + agsql + "</span>");
            response.End();           
        }
    }
}
 使用時在頁面中需要驗證的位置加入：

 CheckSql checksql = new CheckSql();
            checksql.request = this.Request;
            checksql.response = this.Response;
            checksql.CheckBadstring();