明天的明天 永远的永远 未知的一切 我与你一起承担 ??

是非成败转头空 青山依旧在 几度夕阳红 。。。
  博客园  :: 首页  :: 管理

.Net 防范SQL注入

Posted on 2012-02-03 09:11  且行且思  阅读(581)  评论(0编辑  收藏  举报

 

注意以下四点规范:

1.数据层操作推荐用参数方式(Sqlparameter)

2.页面能够不传明文参数就不要传明码参数
3.Session,静态变量,不要滥用
4.不管在什么页面,对于传入的参数或输入的字符都要进行一下检查,做好了数据类型的验证以及过滤单引号,分号,尖括号,空格等等。

/********************************************************************************************** 

  /// <summary>
        ///防止恶意输入
         /// </summary>
        /// <param name="text">用户输入字符串</param>
        /// <param name="maxLength">最大长度</param>
        /// <returns>返回经过处理的字符串</returns>
        public static string InputText(string text, int maxLength)
        {
            text = text.Trim();
            if (string.IsNullOrEmpty(text))
                return string.Empty;
            if (text.Length > maxLength)
                text = text.Substring(0, maxLength);
            text = Regex.Replace(text, "[\\s]{2,}", " ");    //两个或者两个以上的空格
              text = Regex.Replace(text, "(<[b|B][r|R]/*>)+|(<[p|P](.|\\n)*?>)", "\n");    //<br>
            text = Regex.Replace(text, "(\\s*&[n|N][b|B][s|S][p|P];\\s*)+", " ");    // 
            text = Regex.Replace(text, "<(.|\\n)*?>", string.Empty);    //其它标记
              text = text.Replace("'", "''");
            return text;
        }

 

/// <summary>
/// Cleans the SQL inject.
/// 清除Sql注入。
/// </summary>
/// <param name="value">The value.</param>
/// <returns>无Sql注入问题的Sql</returns>
public static object CleanSqlInject(object value)
{
if (value == null) return value;
if (!(value is string)) return value;

return value.ToString().Replace("'", string.Empty);
}

 

 

/// <summary>
/// 过滤标记
/// </summary>
/// <param name="NoHTML">包括HTML,脚本,数据库关键字,特殊字符的源码 </param>
/// <returns>已经去除标记后的文字</returns>
public static string NoHTML(string Htmlstring)
{
if (Htmlstring == null)
{
return "";
}
else
{
//删除脚本
Htmlstring = Regex.Replace(Htmlstring, @"<script[^>]*?>.*?</script>", "", RegexOptions.IgnoreCase);
//删除HTML
Htmlstring = Regex.Replace(Htmlstring, @"<(.[^>]*)>", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"([/r/n])[/s]+", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"-->", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"<!--.*", "", RegexOptions.IgnoreCase);

Htmlstring = Regex.Replace(Htmlstring, @"&(quot|#34);", "/"", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(amp|#38);", "&", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(lt|#60);", "<", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(gt|#62);", ">", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(nbsp|#160);", " ", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(iexcl|#161);", "/xa1", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(cent|#162);", "/xa2", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(pound|#163);", "/xa3", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(copy|#169);", "/xa9", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&#(/d+);", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "xp_cmdshell", "", RegexOptions.IgnoreCase);

//删除与数据库相关的词
Htmlstring = Regex.Replace(Htmlstring, "select", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "insert", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "delete from", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "count''", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "drop table", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "truncate", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "asc", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "mid", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "char", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "xp_cmdshell", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "exec master", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "net localgroup administrators", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "and", "", RegexOptions.IgnoreCase);


return Htmlstring ;

}

}

 

/// <summary>
/// 过滤文本中的非法字符串
/// </summary>
/// <param name="str">要输入的文本</param>
/// <returns></returns>
public static string HtmlEncode(string str)
{

str = str.Replace("&", "&amp;");
str = str.Replace("<", "&lt;");
str = str.Replace(">", "&gt");
str = str.Replace("'", "''");
str = str.Replace("*", "");
str = str.Replace("\n", "<br/>");
str = str.Replace("\r\n", "<br/>");
str = str.Replace("select", "");
str = str.Replace("insert", "");
str = str.Replace("update", "");
str = str.Replace("delete", "");
str = str.Replace("create", "");
str = str.Replace("drop", "");
str = str.Replace("delcare", "");
if (str.Trim().ToString() == "") { str = ""; }
return str.Trim();
}
/// <summary>
/// 过滤字符串
/// </summary>
/// <param name="Acc">要过滤的字符</param>
/// <returns></returns>
public string FangZhuRu(string Acc)
{
Acc = Acc.Replace("[", "……");
Acc = Acc.Replace("]", "……");
Acc = Acc.Replace("and", ""); ;
Acc = Acc.Replace("=", "");
Acc = Acc.Replace("<", "");
Acc = Acc.Replace(">", "");
Acc = Acc.Replace(";", "");
Acc = Acc.Replace("'", "");
Acc = Acc.Replace("&", "");
Acc = Acc.Replace("'", "");
Acc = Acc.Replace("--", "");
Acc = Acc.Replace("==", "");
Acc = Acc.Replace("'", "");
Acc = Acc.Replace("'", "");

Acc = Acc.Replace("/"/"", "");
Acc = Acc.Replace("script", "");
Acc = Acc.Replace("SCRIPT", "");
Acc = Acc.Replace("Script", "");
Acc = Acc.Replace("script", "");
Acc = Acc.Replace("object", "");
Acc = Acc.Replace("OBJECT", "");
Acc = Acc.Replace("Object", "");
Acc = Acc.Replace("object", "");
Acc = Acc.Replace("applet", "");
Acc = Acc.Replace("APPLET", "");
Acc = Acc.Replace("Applet", "");
Acc = Acc.Replace("applet", "");

Acc = Acc.Replace("select", "");
Acc = Acc.Replace("execute", "");
Acc = Acc.Replace("exec", "");
Acc = Acc.Replace("join", "");
Acc = Acc.Replace("union", "");
Acc = Acc.Replace("where", "");
Acc = Acc.Replace("insert", "");
Acc = Acc.Replace("delete", "");
Acc = Acc.Replace("update", "");
Acc = Acc.Replace("like", "");
Acc = Acc.Replace("drop", "");
Acc = Acc.Replace("create", "");
Acc = Acc.Replace("rename", "");
Acc = Acc.Replace("count", "");
Acc = Acc.Replace("chr", "");
Acc = Acc.Replace("mid", "");
Acc = Acc.Replace("truncate", "");
Acc = Acc.Replace("nchar", "");
Acc = Acc.Replace("char", "");
Acc = Acc.Replace("alter", "z");
Acc = Acc.Replace("cast", "z");
Acc = Acc.Replace("exists", "z");

return Acc;
}
// Html转换

public static string htmlstr(string chr)

{
if(chr==null)
return "";
chr=chr.Replace("<","<");
chr=chr.Replace(">",">");
chr=chr.Replace("\n","<br>");
chr=chr.Replace("\"",""");
chr=chr.Replace("'","'");
chr=chr.Replace(" "," ");
chr=chr.Replace("\r","");
return(chr);

}