思享工具箱

过滤sql特殊字符方法集合

摘要:
///筛选出SQL字符的字符串。

///<summary>
///过滤不安全的字符串
///</summary>
///<param name="Str"></param>
///<returns></returns>publicstaticstringFilteSQLStr(stringStr)
{
Str=Str.Replace("'","");
Str=Str.Replace("/"","");
Str=Str.Replace("&","&amp");
Str=Str.Replace("<","&lt");
Str=Str.Replace(">","&gt");
Str=Str.Replace("delete","");
Str=Str.Replace("update","");
Str=Str.Replace("insert","");
returnStr;
}

2.

#region过滤 Sql 语句字符串中的注入脚本
///<summary>
///过滤 Sql 语句字符串中的注入脚本
///</summary>
///<param name="source">传入的字符串</param>
///<returns>过 滤后的字符串</returns>publicstaticstringSqlFilter(stringsource)
{
//单引号替换成两个单引号source=source.Replace("'","''");
//半角封号替换为全角封号,防止多语句执行source=source.Replace(";","");
//半角括号替换为全角括号source=source.Replace("(","");
source=source.Replace(")","");
///////////////要用正则表达式替换,防止字母大小写得情况////////////////////
//去除执行存储过程的命令关键字source=source.Replace("Exec","");
source=source.Replace("Execute","");
//去除系统存储过程或扩展存储过程关键字source=source.Replace("xp_","x p_");
source=source.Replace("sp_","s p_");
//防止16进制注入source=source.Replace("0x","0 x");
returnsource;
}
#endregion

3.

///过滤SQL字符。
///</summary>
///<param name="str">要过滤SQL字符的字符串。</param>
///<returns>已过滤掉SQL字符的字符串。</returns>publicstaticstringReplaceSQLChar(stringstr)
{
if(str==String.Empty)
returnString.Empty; str=str.Replace("'","");
str=str.Replace(";","");
str=str.Replace(",",",");
str=str.Replace("?","?");
str=str.Replace("<","");
str=str.Replace(">","");
str=str.Replace("(","(");
str=str.Replace(")",")");
str=str.Replace("@","");
str=str.Replace("=","");
str=str.Replace("+","");
str=str.Replace("*","");
str=str.Replace("&","");
str=str.Replace("#","");
str=str.Replace("%","");
str=str.Replace("$","");
returnstr;
}
4.

///<summary>///过滤标记
///</summary>///<param name="NoHTML">包括HTML,脚本,数据库关键字,特殊字符的源码</param>///<returns>已经去除标记后的文字</returns>publicstringNoHtml(stringHtmlstring)
{
if(Htmlstring==null)
{
return"";
}
else
{
//删除脚本Htmlstring=Regex.Replace(Htmlstring,@"<script[^>]*?>.*?</script>","", RegexOptions.IgnoreCase);
//删除HTMLHtmlstring=Regex.Replace(Htmlstring,@"<(.[^>]*)>","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,@"([/r/n])[/s]+","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,@"-->","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,@"<!--.*","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,@"&(quot|#34);","/"", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,@"&(amp|#38);","&", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,@"&(lt|#60);","<", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,@"&(gt|#62);",">", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,@"&(nbsp|#160);","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,@"&(iexcl|#161);","/xa1", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,@"&(cent|#162);","/xa2", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,@"&(pound|#163);","/xa3", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,@"&(copy|#169);","/xa9", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,@"&#(/d+);","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"xp_cmdshell","", RegexOptions.IgnoreCase);
//删除与数据库相关的词Htmlstring=Regex.Replace(Htmlstring,"select","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"insert","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"delete from","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"count''","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"drop table","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"truncate","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"asc","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"mid","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"char","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"xp_cmdshell","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"exec master","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"net localgroup administrators","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"and","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"net user","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"or","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"net","", RegexOptions.IgnoreCase);
//Htmlstring = Regex.Replace(Htmlstring, "*", "", RegexOptions.IgnoreCase);Htmlstring=Regex.Replace(Htmlstring,"-","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"delete","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"drop","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"script","", RegexOptions.IgnoreCase);
//特殊的字符Htmlstring=Htmlstring.Replace("<","");
Htmlstring=Htmlstring.Replace(">","");
Htmlstring=Htmlstring.Replace("*","");
Htmlstring=Htmlstring.Replace("-","");
Htmlstring=Htmlstring.Replace("?","");
Htmlstring=Htmlstring.Replace("'","''");
Htmlstring=Htmlstring.Replace(",","");
Htmlstring=Htmlstring.Replace("/","");
Htmlstring=Htmlstring.Replace(";","");
Htmlstring=Htmlstring.Replace("*/","");
Htmlstring=Htmlstring.Replace("/r/n","");
Htmlstring=HttpContext.Current.Server.HtmlEncode(Htmlstring).Trim();
returnHtmlstring;
}
}

5.

publicstaticboolCheckBadWord(stringstr)
{
stringpattern=@"select|insert|delete|from|count/(|drop table|update|truncate|asc/(|mid/(|char/(|xp_cmdshell|exec master|netlocalgroup administrators|net user|or|and";
if(Regex.IsMatch(str, pattern, RegexOptions.IgnoreCase))
returntrue;
returnfalse;
}
publicstaticstringFilter(stringstr)
{
string[] pattern={"select","insert","delete","from","count//(","drop table","update","truncate","asc//(","mid//(","char//(","xp_cmdshell","exec master","netlocalgroup administrators","net user","or","and"};
for(inti=0; i<pattern.Length; i++)
{
str=str.Replace(pattern[i].ToString(),"");
}
returnstr;
}

标签:#sql注入#特殊字符#delete#replace | 浏览:249 | 发布日期:

免责声明:文章转载自《过滤sql特殊字符方法集合》仅用于学习参考。如对内容有疑问,请及时联系本站处理。

上篇劳德巴赫下载kernel和文件系统时问题SSD1306系列OLED显示芯片的差异下篇

宿迁高防,2C2G15M,22元/月;香港BGP,2C5G5M,25元/月 雨云优惠码:MjYwNzM=

相关文章

C#中常用的经典文件操作方法

 C#追加文件 StreamWriter sw = File.AppendText(Server.MapPath(".")+"\\myText.txt"); sw.WriteLine("追逐理想"); sw.WriteLine("kzlll"); sw.WriteLine(".NET笔记"); sw.Flush(); sw.Close(); C#拷贝文件...

网络爬虫+SQL注入检测一

项目目录结构 /w8ay.py //项目启动主文件 /lib/core //核心文件存放目录 /lib/core/config.py //配置文件 /script //插件存放 /exp //exp和poc存放 四、实验步骤 4.1 sql检测脚本编写 用一个字典存储数据库特征: DBMS_ERRORS = { # regular express...

Mybatis检查SQL注入

Mybatis 的 Mapper.xml 语句中 parameterType 向SQL语句传参有两种方式:#{ } 和 ${ }。 使用#{ }是来防止SQL注入,使用${ }是用来动态拼接参数。 如何排查出 1. 检查是否有$号 如果你使用的是ide代码编辑器,那么可以通过全局搜索${ , 快速定位到使用${ }拼接SQL的语句,在去找到外部传入参数的入...

Json数据中的特殊字符处理

今天在项目中遇到一个问题,页面上的数据突然显示不出来了,查验后得知是Json数据出现了问题。使用JSON从后台向前台传输数据的时候,当数据本身含有一些特殊字符,会导致JSON数据的解析出错。如果内容中本身就包含了 """ 双引号、" " 回车换行这时候,数据的解析就会出现问题。 , , 的区别 ? 1 2 3 4 是换行,英文是New line...

SQL触发器(1)

在实习过程中涉及到SQL触发器,在校时未学习过触发器的知识,因而进行上网自学整理,以下内容为我对网上资料收集整合,若侵权请联系删除,谢谢。 一、触发器概念  定义: 何为触发器?在SQL Server里面也就是对某一个表的一定的操作,触发某种条件,从而执行的一段程序。触发器是一个特殊的存储过程。  常见的触发器有三种:分别应用于Insert , Updat...

HBase框架学习之路

1 背景知识 1.1 解决问题 解决HDFS不支持单条记录的快速查找和更新的问题。 1.2 适用情况 存在亿万条记录的数据库,只有千万或者百万条记录使用RDBMS更加合适 确保你的应用不需要使用RDBMS的高级特性(第二索引,事务机制,高级查询语言等) 足够的硬件配置,即节点数,HDFS在少于5个节点时并不会表现得很好,HBase也存在相同情况。 2...

最新文章

随机推荐

思享工具箱导航