EntityFrameWork+MVC防SQL注入

EntityFrameWork（以后简称EF）作为一款ORM非常的实用，能够大幅度的提高开发速度，但是EF的实质也是sql语句，同样需要防sql注入，在这里利用过滤器的特性来实现过滤特殊字符。

1.首先是过滤的代码

public class SqlFilterAttribute : FilterAttribute, IActionFilter
    {

        public void OnActionExecuted(ActionExecutedContext filterContext)
        {
            throw new NotImplementedException();
        }

        public void OnActionExecuting(ActionExecutingContext filterContext)
        {
            //获得action的参数
            var actions = filterContext.ActionDescriptor.GetParameters();

            //遍历所有的参数
            foreach (var action in actions)
            {
                if (action.ParameterType == typeof(string))
                {
                    if (filterContext.ActionParameters[action.ParameterName] != null)
                    {
                        filterContext.ActionParameters[action.ParameterName] = SqlFilter(filterContext.ActionParameters[action.ParameterName].ToString());
                    }
                }
            }
        }

        private const string SQL_FILTER_STRINGS = "=,',:, or ,select,update,insert,delete,declare,exec,drop,create,%,--";

        /// <summary>
        /// 过滤字符串
        /// </summary>
        /// <param name="filterStr"></param>
        /// <returns></returns>
        private string SqlFilter(string filterStr)
        {
            if (!string.IsNullOrEmpty(filterStr))
            {
                foreach (var item in SQL_FILTER_STRINGS.Split(','))
                {
                    //替换掉特殊字符
                    filterStr = filterStr.ToLower().Replace(item, "");
                }
            }
            return filterStr;
        }
    }

2.调用sql过滤

public class DefaultController : Controller
    {
        // GET: Default
        public ActionResult Index()
        {
            return View();
        }

        [HttpPost]
        [SqlFilter]
        public ActionResult Index(string s)
        {
            return View();
        }
    }

测试之后发现要求过滤的字符确实被过滤掉了。