过滤特殊字符

如果使用接口式的sql连接，很容易收到sql注入式的攻击。

sql注入式攻击是指攻击者将sql语句传递到应用程序的过程，使程序中的sql代码不按程序设计人员的预定方式进行。特别是在登录时，用户常利用的特定字符创建一个恒等条件，从而不需要任何用户名和密码就可以访问网站。

  下面的代码是把相关的sql注入式攻击的危险字符过滤掉，并给与警告和处理。

public string NoHTML(string Htmlstring)

    {

        if (Htmlstring == null)

        {

            return "";

        }

        else

        {

            //删除脚本

            Htmlstring = Regex.Replace(Htmlstring, @"<script[^>]*?>.*?</script>", "", RegexOptions.IgnoreCase);

            //删除HTML

            Htmlstring = Regex.Replace(Htmlstring, @"<(.[^>]*)>", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, @"([rn])[s]+", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, @"-->", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, @"<!--.*", "", RegexOptions.IgnoreCase);

 

            Htmlstring = Regex.Replace(Htmlstring, @"&(quot|#34);", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, @"&(amp|#38);", "&", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, @"&(lt|#60);", "<", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, @"&(gt|#62);", ">", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, @"&(nbsp|#160);", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, @"&(iexcl|#161);", "xa1", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, @"&(cent|#162);", "xa2", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, @"&(pound|#163);", "xa3", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, @"&(copy|#169);", "xa9", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, @"&#(d+);", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, "xp_cmdshell", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, " ", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, "/r", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, "/n", "", RegexOptions.IgnoreCase);

 

            //特殊的字符

            Htmlstring = Htmlstring.Replace("<", "");

            Htmlstring = Htmlstring.Replace(">", "");

            Htmlstring = Htmlstring.Replace("*", "");

            Htmlstring = Htmlstring.Replace("-", "");

            Htmlstring = Htmlstring.Replace("?", "");

            Htmlstring = Htmlstring.Replace(",", "");

            Htmlstring = Htmlstring.Replace("/", "");

            Htmlstring = Htmlstring.Replace(";", "");

            Htmlstring = Htmlstring.Replace("*/", "");

            Htmlstring = Htmlstring.Replace("rn", "");

            Htmlstring = HttpContext.Current.Server.HtmlEncode(Htmlstring).Trim();
            return Htmlstring;

        }

 

    }