代码完善

698312a5 · ryun · af814b5a · 698312a5
Commit 698312a5 authored Feb 23, 2023 by ryun
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 10 deletions

performance/Performance.Api/Filters/AntiSqlInjectFilter.cs
+16 -10

No files found.
--- a/performance/Performance.Api/Filters/AntiSqlInjectFilter.cs
+++ b/performance/Performance.Api/Filters/AntiSqlInjectFilter.cs
@@ -4,9 +4,9 @@
 using System.Text.RegularExpressions;
 using System.Threading.Tasks;
 using System.Web;
+using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.Filters;
-using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.Options;
 using Performance.DtoModels;
 using Performance.DtoModels.AppSettings;
@@ -37,7 +37,7 @@ static AntiSqlInject()
        //private static string StrSymbol = ";|(|)|[|]|{|}|%|@|*|'|!";

        private const string SqlCommandKeywords = "*|and|asc(|by|char|char(|chr|column_name|count|count(|create|declare|delete|drop|drop table|exec|execute|from|grant|group_concat|having|information_schema.columns|insert|like|master|mid|mid(|net local group administrators|net user|or|orderhaving|select|sitename|table|table_schema|truncate|union|update|use|where|xp_cmdshell";
-        private const string SqlSeparatKeywords = "--|;|!|'|\"|(|)|[|]|{|}|@|*|/*|#|%";
+        private const string SqlSeparatKeywords = "--|;|!|'|\"|(|)|[|]|{|}|*|/*|#|%";
        private static readonly List<string> SqlKeywordsArray = new List<string>();

        /// <summary>  
@@ -115,11 +115,14 @@ public AntiSqlInjectFilter(IOptions<Application> options)
                        if (!pType.IsClass) continue;

                        //对string类型过滤 
-                        if (value is string && !AntiSqlInject.Instance.IsSafetySql(value.ToString()))
+                        if (value is string)
                        {
-                            var response = new ApiResponse(ResponseType.Dangerous, "危险操作已拦截");
-                            context.Result = new ObjectResult(response);
-                            return;
+                            if (!AntiSqlInject.Instance.IsSafetySql(value.ToString()))
+                            {
+                                var response = new ApiResponse(ResponseType.Dangerous, "危险操作已拦截");
+                                context.Result = new ObjectResult(response);
+                                return;
+                            }
                        }
                        else if (value is not IFormCollection)
                        {
@@ -130,11 +133,14 @@ public AntiSqlInjectFilter(IOptions<Application> options)
                                var temp = pp.GetValue(value);
                                if (temp == null) continue;

-                                if (temp is string && !AntiSqlInject.Instance.IsSafetySql(temp.ToString()))
+                                if (temp is string)
                                {
-                                    var response = new ApiResponse(ResponseType.Dangerous, "危险操作已拦截");
-                                    context.Result = new ObjectResult(response);
-                                    return;
+                                    if (!AntiSqlInject.Instance.IsSafetySql(temp.ToString()))
+                                    {
+                                        var response = new ApiResponse(ResponseType.Dangerous, "危险操作已拦截");
+                                        context.Result = new ObjectResult(response);
+                                        return;
+                                    }
                                }
                            }
                        }