登录界面常常会涉及到敏感关键字的注入
为了对应面试,再看一下
怎样防止注入,
可以过滤SQL需要参数中的敏感字符(忽略大小写)
public static string Split(string inputString) //防止SQL注入方法 { inputString = inputString.Trim(); inputString = inputString.Replace("'",""); inputString = inputString.Replace(";--", ""); inputString = inputString.Replace("--", ""); inputString = inputString.Replace("=", ""); //and|exec|insert|select|delete|update|chr|mid|master|or|truncate|char|declare|join|count|*|%|union 等待关键字过滤 //不要忘记为你的用户名框,密码框设定 允许输入的最多字符长度 maxlength的值哦,这样他们就无法编写太长的东西来再次拼成第一次过滤掉的关键字 如 oorr一次replace过滤后又成了 or 喔。 inputString = inputString.Replace("and", ""); inputString = inputString.Replace("exec", ""); inputString = inputString.Replace("insert", ""); inputString = inputString.Replace("select", ""); inputString = inputString.Replace("delete", ""); inputString = inputString.Replace("update", ""); inputString = inputString.Replace("chr", ""); inputString = inputString.Replace("mid", ""); inputString = inputString.Replace("master", ""); inputString = inputString.Replace("or", ""); inputString = inputString.Replace("truncate", ""); inputString = inputString.Replace("char", ""); inputString = inputString.Replace("declare", ""); inputString = inputString.Replace("join", ""); inputString = inputString.Replace("count", ""); inputString = inputString.Replace("*", ""); inputString = inputString.Replace("%", ""); inputString = inputString.Replace("union", ""); return inputString; }
#region 过滤SQL,所有涉及到输入的用户直接输入的地方都要使用 /// <summary> /// 过滤SQL,所有涉及到输入的用户直接输入的地方都要使用。 /// </summary> /// <param name="text">输入内容</param> /// <returns>过滤后的文本</returns> public static string filterSQL(string text) { text = text.Replace("'", "''"); text = text.Replace("{", "{"); text = text.Replace("}", "}"); return text; } #endregion
#region 过滤SQL,将SQL字符串里面的(')转换成(''),再在字符串的两边加上(') /// <summary> /// 将SQL字符串里面的(')转换成(''),再在字符串的两边加上(')。 /// </summary> /// <param name="text">输入内容</param> /// <returns>过滤后的文本</returns> public static String GetQuotedString(String text) { return ("'" + filterSQL(text) + "'"); } #endregion
防注入参数化过程实例:
public static void Paramter(string getdataSql, string template, object parameters) { if (!string.IsNullOrEmpty(getdataSql)) { CallContext.SetData(getdataSql, new KeyValuePair<string, object>(template, parameters)); } } private long ExecuteScalar(string sql) { using ( IDbConnection dbConnection = new SqlConnection(_unitOfWork.DbConnectionString)) { try { dbConnection.Open(); var command = dbConnection.CreateCommand(); command.CommandText = sql; command.CommandType = CommandType.Text; object obj = command.ExecuteScalar(); long result = default(long); if (null != obj) { result = Convert.ToInt64(obj); } return result; } finally { dbConnection.Close(); } } }