.net 防止sql注入的参数过滤方法 

  /// <summary>
        /// 去除输入字符串中不安全的字符
        /// </summary>
        /// <param name="unSafetyString">不安全的字符串</param>
        /// <returns>去除不安全字符后的字符串</returns>
        public static string RemoveUnSafetyChar(string unSafetyString)
        {
            if (string.IsNullOrWhiteSpace(unSafetyString))
            {
                return string.Empty;
            }
            string html = unSafetyString.Trim();
            html = HttpUtility.UrlDecode(html);
            html = HttpUtility.UrlDecode(html);
            html = html.Replace("--", "");
            html = html.Replace("'", "");

            System.Text.RegularExpressions.Regex regex1 = new System.Text.RegularExpressions.Regex(@"<script[\s\s]+</script *>", System.Text.RegularExpressions.RegexOptions.IgnoreCase);
            System.Text.RegularExpressions.Regex regex2 = new System.Text.RegularExpressions.Regex(@" href *= *[\s\s]*script *:", System.Text.RegularExpressions.RegexOptions.IgnoreCase);
            System.Text.RegularExpressions.Regex regex3 = new System.Text.RegularExpressions.Regex(@" on[\s\s]*=", System.Text.RegularExpressions.RegexOptions.IgnoreCase);
            System.Text.RegularExpressions.Regex regex4 = new System.Text.RegularExpressions.Regex(@"<iframe[\s\s]+</iframe *>", System.Text.RegularExpressions.RegexOptions.IgnoreCase);
            System.Text.RegularExpressions.Regex regex5 = new System.Text.RegularExpressions.Regex(@"<frameset[\s\s]+</frameset *>", System.Text.RegularExpressions.RegexOptions.IgnoreCase);
            System.Text.RegularExpressions.Regex regex6 = new System.Text.RegularExpressions.Regex(@"<[^>]+>|</[^>]+>", System.Text.RegularExpressions.RegexOptions.IgnoreCase);
            System.Text.RegularExpressions.Regex regex7 = new System.Text.RegularExpressions.Regex(@"%3Cscript[\s\s]+%3C%2Fscript *%3E", System.Text.RegularExpressions.RegexOptions.IgnoreCase);
            System.Text.RegularExpressions.Regex regex8 = new System.Text.RegularExpressions.Regex(@"%253Cscript[\s\s]+%253C%252Fscript *%253E", System.Text.RegularExpressions.RegexOptions.IgnoreCase);
            html = regex1.Replace(html, ""); //过滤<script></script>标记
            html = regex2.Replace(html, ""); //过滤href=javascript: (<a>) 属性
            html = regex3.Replace(html, " _disibledevent="); //过滤其它控件的on…事件
            html = regex4.Replace(html, ""); //过滤iframe
            html = regex5.Replace(html, ""); //过滤frameset
            html = regex6.Replace(html, ""); //过滤html
            html = regex7.Replace(html, ""); //过滤编码后的<script></script>标记
            html = regex8.Replace(html, ""); //过滤2次编码后的<script></script>标记

            return html;
        }

 

posted @ 2017-12-10 20:51  樊金龙  阅读(2212)  评论(0)    收藏  举报