zoukankan html css js c++ java

【转载】C#防SQL注入过滤危险字符信息

不过是java开发还是C#开发或者PHP的开发中，都需要关注SQL注入攻击的安全性问题，为了保证客户端提交过来的数据不会产生SQL注入的风险，我们需要对接收的数据进行危险字符过滤来防范SQL注入攻击的危险，以下是C#防止SQL注入攻击的一个危险字符过滤函数，过滤掉相应的数据库关键字。

主要过滤两类字符：（1）一些SQL中的标点符号，如@,*以及单引号等等；（2）过滤数据库关键字select、insert、delete from、drop table、truncate、mid、delete、update、truncate、declare、master、script、exec、net user、drop等关键字或者关键词。

public string nohtml(string htmlstring)
{
if (htmlstring == null)
{
return "";
}
else
{
//删失脚本
htmlstring = regex.replace(htmlstring, @"<script[^>]*?>.*?</script>", "", regexoptions.ignorecase);
//删失html
htmlstring = regex.replace(htmlstring, @"<(.[^>]*)>", "", regexoptions.ignorecase);
htmlstring = regex.replace(htmlstring, @"([\r\n])[\s]+", "", regexoptions.ignorecase);
htmlstring = regex.replace(htmlstring, @"-->", "", regexoptions.ignorecase);
htmlstring = regex.replace(htmlstring, @"<!--.*", "", regexoptions.ignorecase);
htmlstring = regex.replace(htmlstring, @"&(quot|#34);", "\"", regexoptions.ignorecase);
htmlstring = regex.replace(htmlstring, @"&(amp|#38);", "&", regexoptions.ignorecase);
htmlstring = regex.replace(htmlstring, @"&(lt|#60);", "<", regexoptions.ignorecase);
htmlstring = regex.replace(htmlstring, @"&(gt|#62);", ">", regexoptions.ignorecase);
htmlstring = regex.replace(htmlstring, @"&(nbsp|#160);", " ", regexoptions.ignorecase);
htmlstring = regex.replace(htmlstring, @"&(iexcl|#161);", "\xa1", regexoptions.ignorecase);
htmlstring = regex.replace(htmlstring, @"&(cent|#162);", "\xa2", regexoptions.ignorecase);
htmlstring = regex.replace(htmlstring, @"&(pound|#163);", "\xa3", regexoptions.ignorecase);
htmlstring = regex.replace(htmlstring, @"&(copy|#169);", "\xa9", regexoptions.ignorecase);
htmlstring = regex.replace(htmlstring, @"&#(\d+);", "", regexoptions.ignorecase);
htmlstring = regex.replace(htmlstring, "xp_cmdshell", "", regexoptions.ignorecase);

//删失与数据库相干的词
htmlstring = regex.replace(htmlstring, "select", "", regexoptions.ignorecase);
htmlstring = regex.replace(htmlstring, "inse", "", regexoptions.ignorecase);
htmlstring = regex.replace(htmlstring, "delete from", "", regexoptions.ignorecase);
htmlstring = regex.replace(htmlstring, "count''", "", regexoptions.ignorecase);
htmlstring = regex.replace(htmlstring, "drop table", "", regexoptions.ignorecase);
htmlstring = regex.replace(htmlstring, "truncate", "", regexoptions.ignorecase);
htmlstring = regex.replace(htmlstring, "asc", "", regexoptions.ignorecase);
htmlstring = regex.replace(htmlstring, "mid", "", regexoptions.ignorecase);
htmlstring = regex.replace(htmlstring, "char", "", regexoptions.ignorecase);
htmlstring = regex.replace(htmlstring, "xp_cmdshell", "", regexoptions.ignorecase);
htmlstring = regex.replace(htmlstring, "exec master", "", regexoptions.ignorecase);
htmlstring = regex.replace(htmlstring, "net localgroup administrators", "", regexoptions.ignorecase);
htmlstring = regex.replace(htmlstring, "and", "", regexoptions.ignorecase);
htmlstring = regex.replace(htmlstring, "net user", "", regexoptions.ignorecase);
htmlstring = regex.replace(htmlstring, "or", "", regexoptions.ignorecase);
htmlstring = regex.replace(htmlstring, "net", "", regexoptions.ignorecase);
//htmlstring = regex.replace(htmlstring, "www.xue2.cn", "", regexoptions.ignorecase);
htmlstring = regex.replace(htmlstring, "-", "", regexoptions.ignorecase);
htmlstring = regex.replace(htmlstring, "delete", "", regexoptions.ignorecase);
htmlstring = regex.replace(htmlstring, "drop", "", regexoptions.ignorecase);
htmlstring = regex.replace(htmlstring, "script", "", regexoptions.ignorecase);

//特别的字符
htmlstring = htmlstring.replace("<", "");
htmlstring = htmlstring.replace(">", "");
htmlstring = htmlstring.replace("*", "");
htmlstring = htmlstring.replace("-", "");
htmlstring = htmlstring.replace("?", "");
htmlstring = htmlstring.replace("'", "''");
htmlstring = htmlstring.replace(",", "");
htmlstring = htmlstring.replace("/", "");
htmlstring = htmlstring.replace(";", "");
htmlstring = htmlstring.replace("*/", "");
htmlstring = htmlstring.replace("\r\n", "");
htmlstring = httpcontext.current.server.htmlencode(htmlstring).trim();

return htmlstring;
}
}
}

查看全文

相关阅读:
[POJ1195] Mobile phones（二维树状数组）
[SWUST1740] 圆桌问题（最大流）
[SWUST1759] 骑士共存问题（最大流，最大独立集）
欧拉函数O(sqrt(n))与欧拉线性筛素数O(n)总结
 BZOJ 1036: [ZJOI2008]树的统计Count-树链剖分(点权)(单点更新、路径节点最值、路径求和)模板，超级认真写了注释啊啊啊
 POJ 3237.Tree -树链剖分(边权)(边值更新、路径边权最值、区间标记)贴个板子备忘
 计蒜客 30999.Sum-筛无平方因数的数 (ACM-ICPC 2018 南京赛区网络预赛 J)
洛谷 P3383 【模板】线性筛素数-线性筛素数(欧拉筛素数)O(n)基础题贴个板子备忘
 计蒜客 30996.Lpl and Energy-saving Lamps-线段树(区间满足条件最靠左的值) (ACM-ICPC 2018 南京赛区网络预赛 G)
计蒜客 30990.An Olympian Math Problem-数学公式题 (ACM-ICPC 2018 南京赛区网络预赛 A)

原文地址：https://www.cnblogs.com/Kendy/p/15654454.html