实例代码:可以有效防止sql注入

发布时间：2020-12-12 12:31:26 所属栏目：MsSql教程来源：网络整理

导读：编程之家 jb51.cc：我们先来看一段代码： /// summary /// 移除字符串中的可能引起危险Sql字符 /// /summary /// param name=str/param /// returns/returns public static string RemoveSqlUnsafeString(string str) { string p = @[-|;|,|/|(|)|[|]|}|{|%|

/// <summary>
/// 移除字符串中的可能引起危险Sql字符
/// </summary>
/// <param name="str"></param>
/// <returns></returns>
public static string RemoveSqlUnsafeString(string str)
{
string p = @"[-|;|,|/|(|)|[|]|}|{|%|@|*|!|']";
return Regex.Replace(str,p,"");
}
/// <summary>
/// 检测是否有Sql危险字符
/// </summary>
/// <param name="str">要判断字符串</param>
/// <returns>判断结果</returns>
public static bool IsSafeSqlString(string str)
{

return !Regex.IsMatch(str,@"[-|;|,|/|(|)|[|]|}|{|%|@|*|!|']");
}

/// <summary>
/// 替换sql语句中的有问题符号
/// </summary>
public static string ChkSQL(string str)
{
string str2;

if (str == null)
{
str2 = "";
}
else
{
str = str.Replace("'","''");
str2 = str;
}
return str2;
}
#region 过滤攻击性字符
/// <summary>
/// 过滤攻击性字符
/// </summary>
/// <param name="str"></param>
/// <returns></returns>
public static string ReplaceBadChar(string str)
{
if (!string.IsNullOrEmpty(str))
{
str = Regex.Replace(str,@"(?s)/*.*?*/","",RegexOptions.IgnoreCase); //删除注释:/* */
str = Regex.Replace(str,@"(?s)<script.*?>.*?</script>",RegexOptions.IgnoreCase); //删除脚本
str = Regex.Replace(str,@"(?s)<style.*?>.*?</style>",RegexOptions.IgnoreCase);
//需要把用户自己添加的样式都删除
//<link href="/scripts/PopBox/stylesheets/Styles.css" rel="stylesheet" type="text/css" />
str = Regex.Replace(str,@"(?s)<link[^>]+href+([^>]+?)>",RegexOptions.IgnoreCase);

//替换一些比较特殊的字符
// str = str.Replace(" "," "); //将 替换为一个空格
str = str.Replace("—","－");//将—替换为-
str = str.Replace("”","”");
str = str.Replace("“","“");
str = str.Replace("≤","<=");
str = str.Replace("≠","!=");
str = str.Replace("≥",">=");

//<img src="" onerror="" /> <([^>|^<]+?on)([w]+[^=]+?)=([^>]+?)>
str = Regex.Replace(str,@"<([^>|^<]+?on)([a-z|A-Z]+[^=]+?)=([^>]+?)>",
"<$1_$2=$3>",RegexOptions.IgnoreCase);//过滤可能的XSS攻击,脚本事件

//javascript:
str = str.Replace("javascript:","ｊａｖａｓｃｒｉｐｔ：");//过滤<img src="javascript:alert(/xss/)" />

str = str.Replace("vbscrript:","ｖｂｓｃｒｉｐｔ：");//过滤ｖｂｓｃｒｉｐｔ

str = str.Replace("script","ｓｃｒｉｐｔ");//过滤所有可能的脚本 liehuo.net

//style="XSS:expression(alert(/xss/))"
str = str.Replace("expression","Ｅxpression");//过滤所有可能的脚本
//str=Regex.Replace(str,@"(style(.*))=(.*)(expression)","$1=$3",
RegexOptions.IgnoreCase); //过滤样式中，可能带有的脚本事件
//<iframe src=

str = Regex.Replace(str,"(?s)<iframe.*?>.*?</iframe>",
RegexOptions.IgnoreCase);//过滤Ifrmae;网

//防止转码XSS攻击:<img src="&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#97
&#108&#101&#114&#116&#40&#39&#88&#83&#83&#39&#41&#59">
str = str.Replace("#","＃");//过滤#
// str = str.Replace("&","＆");//过滤&
str = str.Replace("%","％");//过滤%

//<img STYLE="background-image: 75726c286a61766173
63726970743a616c6572742827585353272929">
str = str.Replace("","/");//过滤防止连接１６进制的攻击

if (str.IndexOf("<script") >= 0)
str = str.Replace("<","<--script");

if (str.IndexOf("'") > 0)
str = str.Replace("'","’");

//str = str.Replace("<","<");
//str = str.Replace(">",">");

}
return str;
}
#endregion

（编辑：李大同）

【声明】本站内容均来自网络，其相关言论仅代表作者个人观点，不代表本站立场。若无意侵犯到您的权利，请及时与联系站长删除相关内容!

　　编程之家 52php.cn：我们先来看一段代码：