过滤特殊字符
如果使用接口式的sql连接,很容易收到sql注入式的攻击。
sql注入式攻击是指攻击者将sql语句传递到应用程序的过程,使程序中的sql代码不按程序设计人员的预定方式进行。特别是在登录时,用户常利用的特定字符创建一个恒等条件,从而不需要任何用户名和密码就可以访问网站。
下面的代码是把相关的sql注入式攻击的危险字符过滤掉,并给与警告和处理。
public string NoHTML(string Htmlstring)
{
if (Htmlstring == null)
{
return "";
}
else
{
//删除脚本
Htmlstring = Regex.Replace(Htmlstring, @"<script[^>]*?>.*?</script>", "", RegexOptions.IgnoreCase);
//删除HTML
Htmlstring = Regex.Replace(Htmlstring, @"<(.[^>]*)>", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"([rn])[s]+", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"-->", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"<!--.*", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(quot|#34);", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(amp|#38);", "&", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(lt|#60);", "<", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(gt|#62);", ">", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(nbsp|#160);", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(iexcl|#161);", "xa1", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(cent|#162);", "xa2", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(pound|#163);", "xa3", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(copy|#169);", "xa9", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&#(d+);", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "xp_cmdshell", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, " ", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "/r", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "/n", "", RegexOptions.IgnoreCase);
//特殊的字符
Htmlstring = Htmlstring.Replace("<", "");
Htmlstring = Htmlstring.Replace(">", "");
Htmlstring = Htmlstring.Replace("*", "");
Htmlstring = Htmlstring.Replace("-", "");
Htmlstring = Htmlstring.Replace("?", "");
Htmlstring = Htmlstring.Replace(",", "");
Htmlstring = Htmlstring.Replace("/", "");
Htmlstring = Htmlstring.Replace(";", "");
Htmlstring = Htmlstring.Replace("*/", "");
Htmlstring = Htmlstring.Replace("rn", "");
Htmlstring = HttpContext.Current.Server.HtmlEncode(Htmlstring).Trim();
return Htmlstring;
}
}