防范qurestring方式的sql注入的一个方法
public static string safeRequest(string str)
{
string outStr = null;
object querStr = HttpContext.Current.Request.QueryString[str];
if (querStr != null)
{
outStr = InputText(querStr.ToString(), 30);
return outStr;
}
else
return outStr;
}
public static string InputText(string inputString, int maxLength)
{
System.Text.StringBuilder retVal = new System.Text.StringBuilder();
// check incoming parameters for null or blank string
if ((inputString != null) && (inputString != String.Empty))
{
inputString = inputString.Trim();
//op the string incase the client-side max length
//fields are bypassed to prevent buffer over-runs
if (inputString.Length > maxLength)
inputString = inputString.Substring(0, maxLength);
//convert some harmful symbols incase the regular
//expression validators are changed
for (int i = 0; i < inputString.Length; i++)
{
switch (inputString[i])
{
case '"':
retVal.Append(""");
break;
case '<':
retVal.Append("<");
break;
case '>':
retVal.Append(">");
break;
default:
retVal.Append(inputString[i]);
break;
}
}
// Replace single quotes with white space
retVal.Replace("'", " ");
retVal.Replace(";", " ");
retVal.Replace("insert", "");
retVal.Replace("select", "");
retVal.Replace("delete", "");
retVal.Replace("update", "");
retVal.Replace("drop", "");
retVal.Replace("create", "");
retVal.Replace("alter", "");
retVal.Replace(" ", "20%");
retVal.Replace("xp_cmdshell", "");
retVal.Replace("xp_regaddmultistring", "");
retVal.Replace("xp_regdeletekey", "");
retVal.Replace("xp_regdeletevalue", "");
retVal.Replace("xp_regenumkeys", "");
retVal.Replace("xp_regenumvalues", "");
retVal.Replace("xp_regread", "");
retVal.Replace("xp_regremovemultistring", "");
retVal.Replace("xp_regwrite", "");
retVal.Replace("sp_OACreate", "");
retVal.Replace("sp_OADestroy", "");
retVal.Replace("sp_OAMethod", "");
retVal.Replace("sp_OAGetProperty", "");
retVal.Replace("sp_OASetProperty", "");
retVal.Replace("sp_OAGetErrorInfo", "");
retVal.Replace("sp_OAStop", "");
}
return retVal.ToString();
}
{
string outStr = null;
object querStr = HttpContext.Current.Request.QueryString[str];
if (querStr != null)
{
outStr = InputText(querStr.ToString(), 30);
return outStr;
}
else
return outStr;
}
public static string InputText(string inputString, int maxLength)
{
System.Text.StringBuilder retVal = new System.Text.StringBuilder();
// check incoming parameters for null or blank string
if ((inputString != null) && (inputString != String.Empty))
{
inputString = inputString.Trim();
//op the string incase the client-side max length
//fields are bypassed to prevent buffer over-runs
if (inputString.Length > maxLength)
inputString = inputString.Substring(0, maxLength);
//convert some harmful symbols incase the regular
//expression validators are changed
for (int i = 0; i < inputString.Length; i++)
{
switch (inputString[i])
{
case '"':
retVal.Append(""");
break;
case '<':
retVal.Append("<");
break;
case '>':
retVal.Append(">");
break;
default:
retVal.Append(inputString[i]);
break;
}
}
// Replace single quotes with white space
retVal.Replace("'", " ");
retVal.Replace(";", " ");
retVal.Replace("insert", "");
retVal.Replace("select", "");
retVal.Replace("delete", "");
retVal.Replace("update", "");
retVal.Replace("drop", "");
retVal.Replace("create", "");
retVal.Replace("alter", "");
retVal.Replace(" ", "20%");
retVal.Replace("xp_cmdshell", "");
retVal.Replace("xp_regaddmultistring", "");
retVal.Replace("xp_regdeletekey", "");
retVal.Replace("xp_regdeletevalue", "");
retVal.Replace("xp_regenumkeys", "");
retVal.Replace("xp_regenumvalues", "");
retVal.Replace("xp_regread", "");
retVal.Replace("xp_regremovemultistring", "");
retVal.Replace("xp_regwrite", "");
retVal.Replace("sp_OACreate", "");
retVal.Replace("sp_OADestroy", "");
retVal.Replace("sp_OAMethod", "");
retVal.Replace("sp_OAGetProperty", "");
retVal.Replace("sp_OASetProperty", "");
retVal.Replace("sp_OAGetErrorInfo", "");
retVal.Replace("sp_OAStop", "");
}
return retVal.ToString();
}
