C#实现过滤sql特殊字符的方法集合
本文实例讲述了C#实现过滤sql特殊字符的方法集合。分享给大家供大家参考,具体如下:
1.
///<summary> ///过滤不安全的字符串 ///</summary> ///<paramname="Str"></param> ///<returns></returns> publicstaticstringFilteSQLStr(stringStr) { Str=Str.Replace("'",""); Str=Str.Replace("\"",""); Str=Str.Replace("&","&"); Str=Str.Replace("<","<"); Str=Str.Replace(">",">"); Str=Str.Replace("delete",""); Str=Str.Replace("update",""); Str=Str.Replace("insert",""); returnStr; }
2.
#region过滤Sql语句字符串中的注入脚本 ///<summary> ///过滤Sql语句字符串中的注入脚本 ///</summary> ///<paramname="source">传入的字符串</param> ///<returns>过滤后的字符串</returns> publicstaticstringSqlFilter(stringsource) { //单引号替换成两个单引号 source=source.Replace("'","''"); //半角封号替换为全角封号,防止多语句执行 source=source.Replace(";",";"); //半角括号替换为全角括号 source=source.Replace("(","("); source=source.Replace(")",")"); ///////////////要用正则表达式替换,防止字母大小写得情况//////////////////// //去除执行存储过程的命令关键字 source=source.Replace("Exec",""); source=source.Replace("Execute",""); //去除系统存储过程或扩展存储过程关键字 source=source.Replace("xp_","xp_"); source=source.Replace("sp_","sp_"); //防止16进制注入 source=source.Replace("0x","0x"); returnsource; } #endregion
3.
///过滤SQL字符。 ///</summary> ///<paramname="str">要过滤SQL字符的字符串。</param> ///<returns>已过滤掉SQL字符的字符串。</returns> publicstaticstringReplaceSQLChar(stringstr) { if(str==String.Empty) returnString.Empty;str=str.Replace("'","‘"); str=str.Replace(";",";"); str=str.Replace(",",","); str=str.Replace("?","?"); str=str.Replace("<","<"); str=str.Replace(">",">"); str=str.Replace("(","("); str=str.Replace(")",")"); str=str.Replace("@","@"); str=str.Replace("=","="); str=str.Replace("+","+"); str=str.Replace("*","*"); str=str.Replace("&","&"); str=str.Replace("#","#"); str=str.Replace("%","%"); str=str.Replace("$","¥"); returnstr; }
4.
///<summary> ///过滤标记 ///</summary> ///<paramname="NoHTML">包括HTML,脚本,数据库关键字,特殊字符的源码</param> ///<returns>已经去除标记后的文字</returns> publicstringNoHtml(stringHtmlstring) { if(Htmlstring==null) { return""; } else { //删除脚本 Htmlstring=Regex.Replace(Htmlstring,@"<script[^>]*?>.*?</script>","",RegexOptions.IgnoreCase); //删除HTML Htmlstring=Regex.Replace(Htmlstring,@"<(.[^>]*)>","",RegexOptions.IgnoreCase); Htmlstring=Regex.Replace(Htmlstring,@"([\r\n])[\s]+","",RegexOptions.IgnoreCase); Htmlstring=Regex.Replace(Htmlstring,@"-->","",RegexOptions.IgnoreCase); Htmlstring=Regex.Replace(Htmlstring,@"<!--.*","",RegexOptions.IgnoreCase); Htmlstring=Regex.Replace(Htmlstring,@"&(quot|#34);","\"",RegexOptions.IgnoreCase); Htmlstring=Regex.Replace(Htmlstring,@"&(amp|#38);","&",RegexOptions.IgnoreCase); Htmlstring=Regex.Replace(Htmlstring,@"&(lt|#60);","<",RegexOptions.IgnoreCase); Htmlstring=Regex.Replace(Htmlstring,@"&(gt|#62);",">",RegexOptions.IgnoreCase); Htmlstring=Regex.Replace(Htmlstring,@"&(nbsp|#160);","",RegexOptions.IgnoreCase); Htmlstring=Regex.Replace(Htmlstring,@"&(iexcl|#161);","\xa1",RegexOptions.IgnoreCase); Htmlstring=Regex.Replace(Htmlstring,@"&(cent|#162);","\xa2",RegexOptions.IgnoreCase); Htmlstring=Regex.Replace(Htmlstring,@"&(pound|#163);","\xa3",RegexOptions.IgnoreCase); Htmlstring=Regex.Replace(Htmlstring,@"&(copy|#169);","\xa9",RegexOptions.IgnoreCase); Htmlstring=Regex.Replace(Htmlstring,@"&#(\d+);","",RegexOptions.IgnoreCase); Htmlstring=Regex.Replace(Htmlstring,"xp_cmdshell","",RegexOptions.IgnoreCase); //删除与数据库相关的词 Htmlstring=Regex.Replace(Htmlstring,"select","",RegexOptions.IgnoreCase); Htmlstring=Regex.Replace(Htmlstring,"insert","",RegexOptions.IgnoreCase); Htmlstring=Regex.Replace(Htmlstring,"deletefrom","",RegexOptions.IgnoreCase); Htmlstring=Regex.Replace(Htmlstring,"count''","",RegexOptions.IgnoreCase); Htmlstring=Regex.Replace(Htmlstring,"droptable","",RegexOptions.IgnoreCase); Htmlstring=Regex.Replace(Htmlstring,"truncate","",RegexOptions.IgnoreCase); Htmlstring=Regex.Replace(Htmlstring,"asc","",RegexOptions.IgnoreCase); Htmlstring=Regex.Replace(Htmlstring,"mid","",RegexOptions.IgnoreCase); Htmlstring=Regex.Replace(Htmlstring,"char","",RegexOptions.IgnoreCase); Htmlstring=Regex.Replace(Htmlstring,"xp_cmdshell","",RegexOptions.IgnoreCase); Htmlstring=Regex.Replace(Htmlstring,"execmaster","",RegexOptions.IgnoreCase); Htmlstring=Regex.Replace(Htmlstring,"netlocalgroupadministrators","",RegexOptions.IgnoreCase); Htmlstring=Regex.Replace(Htmlstring,"and","",RegexOptions.IgnoreCase); Htmlstring=Regex.Replace(Htmlstring,"netuser","",RegexOptions.IgnoreCase); Htmlstring=Regex.Replace(Htmlstring,"or","",RegexOptions.IgnoreCase); Htmlstring=Regex.Replace(Htmlstring,"net","",RegexOptions.IgnoreCase); //Htmlstring=Regex.Replace(Htmlstring,"*","",RegexOptions.IgnoreCase); Htmlstring=Regex.Replace(Htmlstring,"-","",RegexOptions.IgnoreCase); Htmlstring=Regex.Replace(Htmlstring,"delete","",RegexOptions.IgnoreCase); Htmlstring=Regex.Replace(Htmlstring,"drop","",RegexOptions.IgnoreCase); Htmlstring=Regex.Replace(Htmlstring,"script","",RegexOptions.IgnoreCase); //特殊的字符 Htmlstring=Htmlstring.Replace("<",""); Htmlstring=Htmlstring.Replace(">",""); Htmlstring=Htmlstring.Replace("*",""); Htmlstring=Htmlstring.Replace("-",""); Htmlstring=Htmlstring.Replace("?",""); Htmlstring=Htmlstring.Replace("'","''"); Htmlstring=Htmlstring.Replace(",",""); Htmlstring=Htmlstring.Replace("/",""); Htmlstring=Htmlstring.Replace(";",""); Htmlstring=Htmlstring.Replace("*/",""); Htmlstring=Htmlstring.Replace("\r\n",""); Htmlstring=HttpContext.Current.Server.HtmlEncode(Htmlstring).Trim(); returnHtmlstring; } }
5.
publicstaticboolCheckBadWord(stringstr) { stringpattern=@"select|insert|delete|from|count\(|droptable|update|truncate|asc\(|mid\(|char\(|xp_cmdshell|execmaster|netlocalgroupadministrators|netuser|or|and"; if(Regex.IsMatch(str,pattern,RegexOptions.IgnoreCase)) returntrue; returnfalse; } publicstaticstringFilter(stringstr) { string[]pattern={"select","insert","delete","from","count\\(","droptable","update","truncate","asc\\(","mid\\(","char\\(","xp_cmdshell","execmaster","netlocalgroupadministrators","netuser","or","and"}; for(inti=0;i<pattern.Length;i++) { str=str.Replace(pattern[i].ToString(),""); } returnstr; }
希望本文所述对大家C#程序设计有所帮助。