過濾SQL關鍵字,防止SQL注入
阿新 • • 發佈:2018-12-26
轉自https://blog.csdn.net/qq_26947857/article/details/80745655
定義一個方法進行關鍵字的過濾,方法中使用正則表示式過濾:
///<summary> /// 過濾字串中注入SQL指令碼的方法 ///</summary> ///<param name="source">傳入的字串</param> ///<returns>過濾後的字串</returns> private static string SqlFilters(string source) { //半形括號替換為全形括號 source = source.Replace("'", "'''"); //去除執行SQL語句的命令關鍵字 source = Regex.Replace(source, "select", "", RegexOptions.IgnoreCase); source = Regex.Replace(source, "insert", "", RegexOptions.IgnoreCase); source = Regex.Replace(source, "update", "", RegexOptions.IgnoreCase); source = Regex.Replace(source, "delete", "", RegexOptions.IgnoreCase); source = Regex.Replace(source, "drop", "", RegexOptions.IgnoreCase); source = Regex.Replace(source, "truncate", "", RegexOptions.IgnoreCase); source = Regex.Replace(source, "declare", "", RegexOptions.IgnoreCase); source = Regex.Replace(source, "xp_cmdshell", "", RegexOptions.IgnoreCase); source = Regex.Replace(source, "/add", "", RegexOptions.IgnoreCase); source = Regex.Replace(source, "net user", "", RegexOptions.IgnoreCase); //去除執行儲存過程的命令關鍵字 source = Regex.Replace(source, "exec", "", RegexOptions.IgnoreCase); source = Regex.Replace(source, "execute", "", RegexOptions.IgnoreCase); //去除系統儲存過程或擴充套件儲存過程關鍵字 source = Regex.Replace(source, "xp_", "x p_", RegexOptions.IgnoreCase); source = Regex.Replace(source, "sp_", "s p_", RegexOptions.IgnoreCase); //防止16進位制注入 source = Regex.Replace(source, "0x", "0 x", RegexOptions.IgnoreCase); return source; }
當然也可以新增自己想要的過濾正則,下面加入一個方法呼叫並返回過濾後的字串:
///<summary> /// 防注入過濾函式 ///</summary> ///<param name="inputString">需要過濾字串</param> ///<returns>過濾後的字串</returns> public static string Filter(string inputString) { if (inputString != ""&&inputString!=null) { string sql = SqlFilters(inputString); if (sql == "") { sql = "敏感字元"; } return sql; } else { return inputString; } }
在我們做web開發的過程中,Web安全問題一直都是最大的隱患,網際網路的繁榮離不開網路安全,這是我們的機遇也是我們的挑戰。