防止sql注入

/// <summary>
  /// SQL注入字符清理
  /// </summary>
  /// <param name="value">需要清理的字符串</param>
  /// <returns></returns>
  public static string SqlTextClear(string value)
  {
  string[] replaceStr = new string[] { ",", "<", ">", "--", "‘", "\"", "=", "%", " " };
  foreach (var item in replaceStr)
  {
  value = value.Replace(item, "");
  }
  return value;
  }
  /// <summary>
  /// 替换特殊字符,防SQL注入
  /// </summary>
  /// <param name="str"></param>
  /// <returns></returns>
  public static string ReplaceSQLChar(string str)
  {
  if (string.IsNullOrEmpty(str))
  return "";
   
  str = str.Replace("‘", "");
  str = str.Replace(";", "");
  str = str.Replace(",", "");
  str = str.Replace("?", "");
  str = str.Replace("<", "");
  str = str.Replace(">", "");
  str = str.Replace("(", "");
  str = str.Replace(")", "");
  str = str.Replace("@", "");
  str = str.Replace("=", "");
  str = str.Replace("+", "");
  str = str.Replace("*", "");
  str = str.Replace("&", "");
  str = str.Replace("#", "");
  str = str.Replace("%", "");
  str = str.Replace("$", "");
   
  //删除与数据库相关的词
  str = Regex.Replace(str, "select", "", RegexOptions.IgnoreCase);
  str = Regex.Replace(str, "insert", "", RegexOptions.IgnoreCase);
  str = Regex.Replace(str, "delete from", "", RegexOptions.IgnoreCase);
  str = Regex.Replace(str, "count", "", RegexOptions.IgnoreCase);
  str = Regex.Replace(str, "drop table", "", RegexOptions.IgnoreCase);
  str = Regex.Replace(str, "truncate", "", RegexOptions.IgnoreCase);
  str = Regex.Replace(str, "asc", "", RegexOptions.IgnoreCase);
  str = Regex.Replace(str, "mid", "", RegexOptions.IgnoreCase);
  str = Regex.Replace(str, "char", "", RegexOptions.IgnoreCase);
  str = Regex.Replace(str, "xp_cmdshell", "", RegexOptions.IgnoreCase);
  str = Regex.Replace(str, "exec master", "", RegexOptions.IgnoreCase);
  str = Regex.Replace(str, "net localgroup administrators", "", RegexOptions.IgnoreCase);
  str = Regex.Replace(str, "and", "", RegexOptions.IgnoreCase);
  str = Regex.Replace(str, "net user", "", RegexOptions.IgnoreCase);
  str = Regex.Replace(str, "or", "", RegexOptions.IgnoreCase);
  str = Regex.Replace(str, "net", "", RegexOptions.IgnoreCase);
  str = Regex.Replace(str, "-", "", RegexOptions.IgnoreCase);
  str = Regex.Replace(str, "delete", "", RegexOptions.IgnoreCase);
  str = Regex.Replace(str, "drop", "", RegexOptions.IgnoreCase);
  str = Regex.Replace(str, "script", "", RegexOptions.IgnoreCase);
  str = Regex.Replace(str, "update", "", RegexOptions.IgnoreCase);
  str = Regex.Replace(str, "and", "", RegexOptions.IgnoreCase);
  str = Regex.Replace(str, "chr", "", RegexOptions.IgnoreCase);
  str = Regex.Replace(str, "master", "", RegexOptions.IgnoreCase);
  str = Regex.Replace(str, "truncate", "", RegexOptions.IgnoreCase);
  str = Regex.Replace(str, "declare", "", RegexOptions.IgnoreCase);
  str = Regex.Replace(str, "mid", "", RegexOptions.IgnoreCase);
   
  return str;
  }

防止sql注入

上一篇:一句话锁定MySQL数据占用元凶


下一篇:[MySql]1820错误码重置密码方法