C#实现过滤sql特殊字符的方法集合
本文实例讲述了C#实现过滤sql特殊字符的方法集合。分享给大家供大家参考,具体如下:
1.
///<summary>
///过滤不安全的字符串
///</summary>
///<paramname="Str"></param>
///<returns></returns>
publicstaticstringFilteSQLStr(stringStr)
{
Str=Str.Replace("'","");
Str=Str.Replace("\"","");
Str=Str.Replace("&","&");
Str=Str.Replace("<","<");
Str=Str.Replace(">",">");
Str=Str.Replace("delete","");
Str=Str.Replace("update","");
Str=Str.Replace("insert","");
returnStr;
}
2.
#region过滤Sql语句字符串中的注入脚本
///<summary>
///过滤Sql语句字符串中的注入脚本
///</summary>
///<paramname="source">传入的字符串</param>
///<returns>过滤后的字符串</returns>
publicstaticstringSqlFilter(stringsource)
{
//单引号替换成两个单引号
source=source.Replace("'","''");
//半角封号替换为全角封号,防止多语句执行
source=source.Replace(";",";");
//半角括号替换为全角括号
source=source.Replace("(","(");
source=source.Replace(")",")");
///////////////要用正则表达式替换,防止字母大小写得情况////////////////////
//去除执行存储过程的命令关键字
source=source.Replace("Exec","");
source=source.Replace("Execute","");
//去除系统存储过程或扩展存储过程关键字
source=source.Replace("xp_","xp_");
source=source.Replace("sp_","sp_");
//防止16进制注入
source=source.Replace("0x","0x");
returnsource;
}
#endregion
3.
///过滤SQL字符。
///</summary>
///<paramname="str">要过滤SQL字符的字符串。</param>
///<returns>已过滤掉SQL字符的字符串。</returns>
publicstaticstringReplaceSQLChar(stringstr)
{
if(str==String.Empty)
returnString.Empty;str=str.Replace("'","‘");
str=str.Replace(";",";");
str=str.Replace(",",",");
str=str.Replace("?","?");
str=str.Replace("<","<");
str=str.Replace(">",">");
str=str.Replace("(","(");
str=str.Replace(")",")");
str=str.Replace("@","@");
str=str.Replace("=","=");
str=str.Replace("+","+");
str=str.Replace("*","*");
str=str.Replace("&","&");
str=str.Replace("#","#");
str=str.Replace("%","%");
str=str.Replace("$","¥");
returnstr;
}
4.
///<summary>
///过滤标记
///</summary>
///<paramname="NoHTML">包括HTML,脚本,数据库关键字,特殊字符的源码</param>
///<returns>已经去除标记后的文字</returns>
publicstringNoHtml(stringHtmlstring)
{
if(Htmlstring==null)
{
return"";
}
else
{
//删除脚本
Htmlstring=Regex.Replace(Htmlstring,@"<script[^>]*?>.*?</script>","",RegexOptions.IgnoreCase);
//删除HTML
Htmlstring=Regex.Replace(Htmlstring,@"<(.[^>]*)>","",RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,@"([\r\n])[\s]+","",RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,@"-->","",RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,@"<!--.*","",RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,@"&(quot|#34);","\"",RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,@"&(amp|#38);","&",RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,@"&(lt|#60);","<",RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,@"&(gt|#62);",">",RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,@"&(nbsp|#160);","",RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,@"&(iexcl|#161);","\xa1",RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,@"&(cent|#162);","\xa2",RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,@"&(pound|#163);","\xa3",RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,@"&(copy|#169);","\xa9",RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,@"&#(\d+);","",RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"xp_cmdshell","",RegexOptions.IgnoreCase);
//删除与数据库相关的词
Htmlstring=Regex.Replace(Htmlstring,"select","",RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"insert","",RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"deletefrom","",RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"count''","",RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"droptable","",RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"truncate","",RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"asc","",RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"mid","",RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"char","",RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"xp_cmdshell","",RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"execmaster","",RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"netlocalgroupadministrators","",RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"and","",RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"netuser","",RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"or","",RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"net","",RegexOptions.IgnoreCase);
//Htmlstring=Regex.Replace(Htmlstring,"*","",RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"-","",RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"delete","",RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"drop","",RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"script","",RegexOptions.IgnoreCase);
//特殊的字符
Htmlstring=Htmlstring.Replace("<","");
Htmlstring=Htmlstring.Replace(">","");
Htmlstring=Htmlstring.Replace("*","");
Htmlstring=Htmlstring.Replace("-","");
Htmlstring=Htmlstring.Replace("?","");
Htmlstring=Htmlstring.Replace("'","''");
Htmlstring=Htmlstring.Replace(",","");
Htmlstring=Htmlstring.Replace("/","");
Htmlstring=Htmlstring.Replace(";","");
Htmlstring=Htmlstring.Replace("*/","");
Htmlstring=Htmlstring.Replace("\r\n","");
Htmlstring=HttpContext.Current.Server.HtmlEncode(Htmlstring).Trim();
returnHtmlstring;
}
}
5.
publicstaticboolCheckBadWord(stringstr)
{
stringpattern=@"select|insert|delete|from|count\(|droptable|update|truncate|asc\(|mid\(|char\(|xp_cmdshell|execmaster|netlocalgroupadministrators|netuser|or|and";
if(Regex.IsMatch(str,pattern,RegexOptions.IgnoreCase))
returntrue;
returnfalse;
}
publicstaticstringFilter(stringstr)
{
string[]pattern={"select","insert","delete","from","count\\(","droptable","update","truncate","asc\\(","mid\\(","char\\(","xp_cmdshell","execmaster","netlocalgroupadministrators","netuser","or","and"};
for(inti=0;i<pattern.Length;i++)
{
str=str.Replace(pattern[i].ToString(),"");
}
returnstr;
}
希望本文所述对大家C#程序设计有所帮助。