1. 禁止外部提交
if(Request.UrlReferrer != null && Request.UrlReferrer.Host == Request.ServerVariables["Server_Name"] )
{正常处理}
else
{是外部提交}
2. 防止URL注入
一.如果参数全为数字:
// 检查字符串是否全为数字
public static bool IsNum(string Str)
{
bool blResult = true;
if (Str == "")
blResult = false;
else
{
foreach (char Char in Str)
{
if (!Char.IsNumber(Char))
{
blResult = false;
break;
}
}
if (blResult)
if (int.Parse(Str) == 0)
blResult = false;
}
return blResult;
}
应用:
string Topicid = Request.QueryString["Topicid"];
if (!IsNum(Topicid))
Server.Transfer("Error.aspx?ErrID=404");
二.如果参数为文本.
// Html转换
public static string htmlstr(string chr)
{
if(chr==null)
return "";
chr=chr.Replace("<","<");
chr=chr.Replace(">",">");
chr=chr.Replace("\n","<br>");
chr=chr.Replace("\"",""");
chr=chr.Replace("'","'");
chr=chr.Replace(" "," ");
chr=chr.Replace("\r","");
return(chr);
}
应用:string strClass = htmlstr(Request.QueryString["ClassName"]);
3. 加密参数
加密参数一般都是先加密(各种方法),到目的页面再解密(相对的解密方法).
Encode - Decode
|
