.net 防止sql注入的参数过滤方法
/// <summary> /// 去除输入字符串中不安全的字符 /// </summary> /// <param name="unSafetyString">不安全的字符串</param> /// <returns>去除不安全字符后的字符串</returns> public static string RemoveUnSafetyChar(string unSafetyString) { if (string.IsNullOrWhiteSpace(unSafetyString)) { return string.Empty; } string html = unSafetyString.Trim(); html = HttpUtility.UrlDecode(html); html = HttpUtility.UrlDecode(html); html = html.Replace("--", ""); html = html.Replace("'", ""); System.Text.RegularExpressions.Regex regex1 = new System.Text.RegularExpressions.Regex(@"<script[\s\s]+</script *>", System.Text.RegularExpressions.RegexOptions.IgnoreCase); System.Text.RegularExpressions.Regex regex2 = new System.Text.RegularExpressions.Regex(@" href *= *[\s\s]*script *:", System.Text.RegularExpressions.RegexOptions.IgnoreCase); System.Text.RegularExpressions.Regex regex3 = new System.Text.RegularExpressions.Regex(@" on[\s\s]*=", System.Text.RegularExpressions.RegexOptions.IgnoreCase); System.Text.RegularExpressions.Regex regex4 = new System.Text.RegularExpressions.Regex(@"<iframe[\s\s]+</iframe *>", System.Text.RegularExpressions.RegexOptions.IgnoreCase); System.Text.RegularExpressions.Regex regex5 = new System.Text.RegularExpressions.Regex(@"<frameset[\s\s]+</frameset *>", System.Text.RegularExpressions.RegexOptions.IgnoreCase); System.Text.RegularExpressions.Regex regex6 = new System.Text.RegularExpressions.Regex(@"<[^>]+>|</[^>]+>", System.Text.RegularExpressions.RegexOptions.IgnoreCase); System.Text.RegularExpressions.Regex regex7 = new System.Text.RegularExpressions.Regex(@"%3Cscript[\s\s]+%3C%2Fscript *%3E", System.Text.RegularExpressions.RegexOptions.IgnoreCase); System.Text.RegularExpressions.Regex regex8 = new System.Text.RegularExpressions.Regex(@"%253Cscript[\s\s]+%253C%252Fscript *%253E", System.Text.RegularExpressions.RegexOptions.IgnoreCase); html = regex1.Replace(html, ""); //过滤<script></script>标记 html = regex2.Replace(html, ""); //过滤href=javascript: (<a>) 属性 html = regex3.Replace(html, " _disibledevent="); //过滤其它控件的on…事件 html = regex4.Replace(html, ""); //过滤iframe html = regex5.Replace(html, ""); //过滤frameset html = regex6.Replace(html, ""); //过滤html html = regex7.Replace(html, ""); //过滤编码后的<script></script>标记 html = regex8.Replace(html, ""); //过滤2次编码后的<script></script>标记 return html; }