我使用一个类来为您在我的应用程序，以prevent SQL注入特定的词。

I am using a class to check for certain words in my application to prevent SQL Injection.

在此类中，有一个用于循环，试图特定单词相匹配，从黑名单词语的 如果有一场比赛，我必须重定向到系统的错误页面。

In the class, there is a for loop that tries to match a specific word with the words from a blacklist. If there is a match, I must redirect to the system's error page.

然而，当找到一个匹配的，我尝试重定向，我不断收到错误无法评估EX pression。

However, when a match is found and I try to redirect, I keep getting the error "Unable to evaluate expression."

下面是code：

Private Sub CheckInput(ByVal parameter As String)
Try
    Dim errorPage As String = "error_page.aspx?Injection=" & parameter

    For i As Integer = 0 To blackList.Length - 1
        If (parameter.IndexOf(blackList(i), StringComparison.OrdinalIgnoreCase) >= 0) Then
            'Handle the discovery of suspicious Sql characters here 
            'generic error page on your site 
            HttpContext.Current.Response.Redirect(errorPage)
        End If
    Next

Catch ex As Exception
    Throw ex
End Try

在Try块捕获错误，它不断给错误和不重定向到错误页面。

Once the Try block catches the error, it keeps giving the error and doesn't redirect to the error page.

任何想法？

推荐答案

无法评估EX pression是从Visual Studio调试器，当它看到的ThreadAbortException抛出的Response.Redirect 。如果没有调试器连接，你的code将正常工作。

The "Unable to evaluate expression" is from the Visual Studio debugger, when it sees the ThreadAbortException thrown by Response.Redirect. Without a debugger attached, your code will work as expected.

您可以通过假来prevent正在结束当前请求（这是什么 ThreadAbortException 是）。你是那么负责结束的要求摆好。

You can pass false to prevent the current request being ended (which is what the ThreadAbortException is for). You're then responsible for "ending" the request gracefully.

FWIW，你也应该删除的try / catch ，因为它提供的比隐藏任何异常其他没有用处。而且，正如所提到的，SQL参数都是方式prevent注射 - 不是白名单

FWIW, you should also remove the try/catch, as it's serving no useful purpose other than hiding any exceptions. And, as mentioned, SQL parameters are the way to prevent injection - not whitelists.