.Net 防范SQL注入

注意以下四点规范:

1.数据层操作推荐用参数方式(Sqlparameter)

2.页面能够不传明文参数就不要传明码参数
3.Session,静态变量,不要滥用
4.不管在什么页面,对于传入的参数或输入的字符都要进行一下检查,做好了数据类型的验证以及过滤单引号，分号，尖括号，空格等等。

/********************************************************************************************** 

  /// <summary>
        ///防止恶意输入
         /// </summary>
        /// <param name="text">用户输入字符串</param>
        /// <param name="maxLength">最大长度</param>
        /// <returns>返回经过处理的字符串</returns>
        public static string InputText(string text, int maxLength)
        {
            text = text.Trim();
            if (string.IsNullOrEmpty(text))
                return string.Empty;
            if (text.Length > maxLength)
                text = text.Substring(0, maxLength);
            text = Regex.Replace(text, "[\\s]{2,}", " ");    //两个或者两个以上的空格
              text = Regex.Replace(text, "(<[b|B][r|R]/*>)+|(<[p|P](.|\\n)*?>)", "\n");    //<br>
            text = Regex.Replace(text, "(\\s*&[n|N][b|B][s|S][p|P];\\s*)+", " ");    // 
            text = Regex.Replace(text, "<(.|\\n)*?>", string.Empty);    //其它标记
              text = text.Replace("'", "''");
            return text;
        }

/// <summary>
  /// Cleans the SQL inject.
  /// 清除Sql注入。
  /// </summary>
  /// <param name="value">The value.</param>
  /// <returns>无Sql注入问题的Sql</returns>
  public static object CleanSqlInject(object value)
  {
  if (value == null) return value;
  if (!(value is string)) return value;

  return value.ToString().Replace("'", string.Empty);
  }

/// <summary>
/// 过滤标记
/// </summary>
/// <param name="NoHTML">包括HTML，脚本，数据库关键字，特殊字符的源码 </param>
/// <returns>已经去除标记后的文字</returns>
public static string NoHTML(string Htmlstring)
{
if (Htmlstring == null)
{
return "";
}
else
{
//删除脚本
Htmlstring = Regex.Replace(Htmlstring, @"<script[^>]*?>.*?</script>", "", RegexOptions.IgnoreCase);
//删除HTML
Htmlstring = Regex.Replace(Htmlstring, @"<(.[^>]*)>", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"([/r/n])[/s]+", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"-->", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"<!--.*", "", RegexOptions.IgnoreCase);

Htmlstring = Regex.Replace(Htmlstring, @"&(quot|#34);", "/"", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(amp|#38);", "&", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(lt|#60);", "<", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(gt|#62);", ">", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(nbsp|#160);", " ", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(iexcl|#161);", "/xa1", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(cent|#162);", "/xa2", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(pound|#163);", "/xa3", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(copy|#169);", "/xa9", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&#(/d+);", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "xp_cmdshell", "", RegexOptions.IgnoreCase);

//删除与数据库相关的词
Htmlstring = Regex.Replace(Htmlstring, "select", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "insert", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "delete from", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "count''", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "drop table", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "truncate", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "asc", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "mid", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "char", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "xp_cmdshell", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "exec master", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "net localgroup administrators", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "and", "", RegexOptions.IgnoreCase);


return Htmlstring ;

      }

}

/// <summary>
  /// 过滤文本中的非法字符串
  /// </summary>
  /// <param name="str">要输入的文本</param>
  /// <returns></returns>
  public static string HtmlEncode(string str)
  {

  str = str.Replace("&", "&amp;");
  str = str.Replace("<", "&lt;");
  str = str.Replace(">", "&gt");
  str = str.Replace("'", "''");
  str = str.Replace("*", "");
  str = str.Replace("\n", "<br/>");
  str = str.Replace("\r\n", "<br/>");
  str = str.Replace("select", "");
  str = str.Replace("insert", "");
  str = str.Replace("update", "");
  str = str.Replace("delete", "");
  str = str.Replace("create", "");
  str = str.Replace("drop", "");
  str = str.Replace("delcare", "");
  if (str.Trim().ToString() == "") { str = "无"; }
  return str.Trim();
  }

/// <summary>
    /// 过滤字符串
    /// </summary>
    /// <param name="Acc">要过滤的字符</param>
    /// <returns></returns>
    public string FangZhuRu(string Acc)
    {
        Acc = Acc.Replace("[", "……");
        Acc = Acc.Replace("]", "……");
        Acc = Acc.Replace("and", ""); ;
        Acc = Acc.Replace("=", "｛");
        Acc = Acc.Replace("<", "｝");
        Acc = Acc.Replace(">", "｝");
        Acc = Acc.Replace(";", "：");
        Acc = Acc.Replace("'", "’");
        Acc = Acc.Replace("&", "’");
        Acc = Acc.Replace("'", "’");
        Acc = Acc.Replace("--", "’");
        Acc = Acc.Replace("==", "’");
        Acc = Acc.Replace("'", "’");
        Acc = Acc.Replace("'", "’"); 

        Acc = Acc.Replace("/"/"", "");         
        Acc = Acc.Replace("script", "");
        Acc = Acc.Replace("SCRIPT", "‘");
        Acc = Acc.Replace("Script", "’");
        Acc = Acc.Replace("script", "’");
        Acc = Acc.Replace("object", "’");
        Acc = Acc.Replace("OBJECT", "’");
        Acc = Acc.Replace("Object", "’");
        Acc = Acc.Replace("object", "’");
        Acc = Acc.Replace("applet", "’");
        Acc = Acc.Replace("APPLET", "’");
        Acc = Acc.Replace("Applet", "’");
        Acc = Acc.Replace("applet", "’");

        Acc = Acc.Replace("select", "’");
        Acc = Acc.Replace("execute", "’");
        Acc = Acc.Replace("exec", "’");
        Acc = Acc.Replace("join", "’");
        Acc = Acc.Replace("union", "’");
        Acc = Acc.Replace("where", "’");
        Acc = Acc.Replace("insert", "’");
        Acc = Acc.Replace("delete", "’");
        Acc = Acc.Replace("update", "’");
        Acc = Acc.Replace("like", "’");
        Acc = Acc.Replace("drop", "’");
        Acc = Acc.Replace("create", "’");
        Acc = Acc.Replace("rename", "’");
        Acc = Acc.Replace("count", "’");
        Acc = Acc.Replace("chr", "’");         
        Acc = Acc.Replace("mid", "’");         
        Acc = Acc.Replace("truncate", "’");         
        Acc = Acc.Replace("nchar", "’");
        Acc = Acc.Replace("char", "’");         
        Acc = Acc.Replace("alter", "z");         
        Acc = Acc.Replace("cast", "z");         
        Acc = Acc.Replace("exists", "z");

        return Acc;
    }

// Html转换

public static string htmlstr(string chr)

{
    if(chr==null)
        return "";
    chr=chr.Replace("<","<");
    chr=chr.Replace(">",">");
    chr=chr.Replace("\n","<br>");
    chr=chr.Replace("\"",""");
    chr=chr.Replace("'","'");
    chr=chr.Replace(" "," ");
    chr=chr.Replace("\r","");
    return(chr); 

}