C#-常用的防sql注入的关键词检测Helper 

 1 using System;
 2 using System.Linq;
 3 using System.Text;
 4 using System.Text.RegularExpressions;
 5 using System.Web;
 6 
 7 namespace HOST_CONTROL_CENTER.Uril.DBHelper
 8 {
 9     /// <summary>
10     /// 防sql注入关键词检测
11     /// sql关键词与xss攻击语句
12     /// 注:尽量使用参数化传值不要拼接sql
13     /// </summary>
14     public class SafeSqlHelper
15     {
16         private const string StrRegex = @"<[^>]+?style=[\w]+?:expression\(|\b(alert|confirm|prompt)\b|^\+/v(8|9)|<[^>]*?=[^>]*?&#[^>]*?>|\b(and|or)\b.{1,6}?(=|>|<|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|<\s*img\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)";
17         public static bool PostData()
18         {
19             bool result = false;
20             for (int i = 0; i < HttpContext.Current.Request.Form.Count; i++)
21             {
22                 result = CheckData(HttpContext.Current.Request.Form[i].ToString());
23                 if (result)
24                 {
25                     break;
26                 }
27             }
28             return result;
29         }
30 
31         /// <summary>
32         /// 获取数据
33         /// </summary>
34         /// <returns></returns>
35         public static bool GetData()
36         {
37             bool result = false;
38             for (int i = 0; i < HttpContext.Current.Request.QueryString.Count; i++)
39             {
40                 result = CheckData(HttpContext.Current.Request.QueryString[i].ToString());
41                 if (result)
42                 {
43                     break;
44                 }
45             }
46             return result;
47         }
48         /// <summary>
49         /// Cookie数据
50         /// </summary>
51         /// <returns></returns>
52         public static bool CookieData()
53         {
54             bool result = false;
55             for (int i = 0; i < HttpContext.Current.Request.Cookies.Count; i++)
56             {
57                 result = CheckData(HttpContext.Current.Request.Cookies[i].Value.ToLower());
58                 if (result)
59                 {
60                     break;
61                 }
62             }
63             return result;
64 
65         }
66         public static bool referer()
67         {
68             bool result = false;
69             return result = CheckData(HttpContext.Current.Request.UrlReferrer.ToString());
70         }
71 
72         /// <summary>
73         /// 检查数据
74         /// </summary>
75         /// <param name="inputData"></param>
76         /// <returns></returns>
77         public static bool CheckData(string inputData)
78         {
79             if (Regex.IsMatch(inputData, StrRegex))
80             {
81                 return true;
82             }
83             else
84             {
85                 return false;
86             }
87         }
88     }
89 }

注:尽量使用参数化传值,减少sql拼接

posted @ 2021-12-13 14:23  ꧁执笔小白꧂  阅读(362)  评论(0编辑  收藏  举报