別的部落格抄過來的工具方法
阿新 • • 發佈:2021-07-17
/// <summary>
/// 過濾SQL語句,防止注入
/// </summary>
/// <param name="strSql"></param>
/// <returns>0 - 沒有注入, 1 - 有注入 </returns>
public int filterSql( string sSql)
{
int srcLen, decLen = 0;
sSql = sSql.ToLower().Trim();
srcLen = sSql.Length;
sSql = sSql.Replace( "exec" , "" );
sSql = sSql.Replace( "delete" , "" );
sSql = sSql.Replace( "master" , "" );
sSql = sSql.Replace( "truncate" , "" );
sSql = sSql.Replace( "declare" , "" );
sSql = sSql.Replace( "create" , "" );
sSql = sSql.Replace( "xp_" , "no" );
decLen = sSql.Length;
if (srcLen == decLen) return 0; else return 1;
}
<script language= "javascript" >
<!-- var url = location.search;
var re=/^\?(.*)(select%20|insert%20| delete %20from%20|count\(|drop%20table|update%20truncate%20|asc\(|mid\(|char\(|xp_cmdshell|exec%20master|net%20localgroup%20administrators|\ "|:|net%20user|\|%20or%20)(.*)$/gi;
var e = re.test(url);
if(e) {
alert(" 地址中含有非法字元~ ");
location.href=" error.asp";
} //-->
<script>
|