登录界面常常会涉及到敏感关键字的注入
为了对应面试,再看一下
怎样防止注入,
可以过滤SQL需要参数中的敏感字符(忽略大小写)
public static string Split(string inputString) //防止SQL注入方法
{
inputString = inputString.Trim();
inputString = inputString.Replace("'","");
inputString = inputString.Replace(";--", "");
inputString = inputString.Replace("--", "");
inputString = inputString.Replace("=", "");
//and|exec|insert|select|delete|update|chr|mid|master|or|truncate|char|declare|join|count|*|%|union 等待关键字过滤
//不要忘记为你的用户名框,密码框设定 允许输入的最多字符长度 maxlength的值哦,这样他们就无法编写太长的东西来再次拼成第一次过滤掉的关键字 如 oorr一次replace过滤后又成了 or 喔。
inputString = inputString.Replace("and", "");
inputString = inputString.Replace("exec", "");
inputString = inputString.Replace("insert", "");
inputString = inputString.Replace("select", "");
inputString = inputString.Replace("delete", "");
inputString = inputString.Replace("update", "");
inputString = inputString.Replace("chr", "");
inputString = inputString.Replace("mid", "");
inputString = inputString.Replace("master", "");
inputString = inputString.Replace("or", "");
inputString = inputString.Replace("truncate", "");
inputString = inputString.Replace("char", "");
inputString = inputString.Replace("declare", "");
inputString = inputString.Replace("join", "");
inputString = inputString.Replace("count", "");
inputString = inputString.Replace("*", "");
inputString = inputString.Replace("%", "");
inputString = inputString.Replace("union", "");
return inputString;
}
#region 过滤SQL,所有涉及到输入的用户直接输入的地方都要使用
/// <summary>
/// 过滤SQL,所有涉及到输入的用户直接输入的地方都要使用。
/// </summary>
/// <param name="text">输入内容</param>
/// <returns>过滤后的文本</returns>
public static string filterSQL(string text)
{
text = text.Replace("'", "''");
text = text.Replace("{", "{");
text = text.Replace("}", "}"); return text;
}
#endregion
#region 过滤SQL,将SQL字符串里面的(')转换成(''),再在字符串的两边加上(')
/// <summary>
/// 将SQL字符串里面的(')转换成(''),再在字符串的两边加上(')。
/// </summary>
/// <param name="text">输入内容</param>
/// <returns>过滤后的文本</returns>
public static String GetQuotedString(String text)
{
return ("'" + filterSQL(text) + "'");
}
#endregion
防注入参数化过程实例:
public static void Paramter(string getdataSql, string template, object parameters)
{
if (!string.IsNullOrEmpty(getdataSql))
{
CallContext.SetData(getdataSql, new KeyValuePair<string, object>(template, parameters));
}
} private long ExecuteScalar(string sql)
{
using (
IDbConnection dbConnection =
new SqlConnection(_unitOfWork.DbConnectionString))
{
try
{
dbConnection.Open();
var command = dbConnection.CreateCommand();
command.CommandText = sql;
command.CommandType = CommandType.Text;
object obj = command.ExecuteScalar();
long result = default(long);
if (null != obj)
{
result = Convert.ToInt64(obj);
}
return result;
}
finally
{
dbConnection.Close();
}
}
}