///<summary>
///过滤不安全的字符串
///</summary>
///<param name="Str"></param>
///<returns></returns>publicstaticstringFilteSQLStr(stringStr)
{
Str=Str.Replace("'","");
Str=Str.Replace("/"","");
Str=Str.Replace("&","&");
Str=Str.Replace("<","<");
Str=Str.Replace(">",">");
Str=Str.Replace("delete","");
Str=Str.Replace("update","");
Str=Str.Replace("insert","");
returnStr;
}
2.
#region过滤 Sql 语句字符串中的注入脚本
///<summary>
///过滤 Sql 语句字符串中的注入脚本
///</summary>
///<param name="source">传入的字符串</param>
///<returns>过 滤后的字符串</returns>publicstaticstringSqlFilter(stringsource)
{
//单引号替换成两个单引号source=source.Replace("'","''");
//半角封号替换为全角封号,防止多语句执行source=source.Replace(";",";");
//半角括号替换为全角括号source=source.Replace("(","(");
source=source.Replace(")",")");
///////////////要用正则表达式替换,防止字母大小写得情况////////////////////
//去除执行存储过程的命令关键字source=source.Replace("Exec","");
source=source.Replace("Execute","");
//去除系统存储过程或扩展存储过程关键字source=source.Replace("xp_","x p_");
source=source.Replace("sp_","s p_");
//防止16进制注入source=source.Replace("0x","0 x");
returnsource;
}
#endregion
3.
///过滤SQL字符。
///</summary>
///<param name="str">要过滤SQL字符的字符串。</param>
///<returns>已过滤掉SQL字符的字符串。</returns>publicstaticstringReplaceSQLChar(stringstr)
{
if(str==String.Empty)
returnString.Empty; str=str.Replace("'","‘");
str=str.Replace(";",";");
str=str.Replace(",",",");
str=str.Replace("?","?");
str=str.Replace("<","<");
str=str.Replace(">",">");
str=str.Replace("(","(");
str=str.Replace(")",")");
str=str.Replace("@","@");
str=str.Replace("=","=");
str=str.Replace("+","+");
str=str.Replace("*","*");
str=str.Replace("&","&");
str=str.Replace("#","#");
str=str.Replace("%","%");
str=str.Replace("$","¥");
returnstr;
}
4.
///<summary>///过滤标记
///</summary>///<param name="NoHTML">包括HTML,脚本,数据库关键字,特殊字符的源码</param>///<returns>已经去除标记后的文字</returns>publicstringNoHtml(stringHtmlstring)
{
if(Htmlstring==null)
{
return"";
}
else
{
//删除脚本Htmlstring=Regex.Replace(Htmlstring,@"<script[^>]*?>.*?</script>","", RegexOptions.IgnoreCase);
//删除HTMLHtmlstring=Regex.Replace(Htmlstring,@"<(.[^>]*)>","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,@"([/r/n])[/s]+","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,@"-->","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,@"<!--.*","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,@"&(quot|#34);","/"", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,@"&(amp|#38);","&", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,@"&(lt|#60);","<", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,@"&(gt|#62);",">", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,@"&(nbsp|#160);","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,@"&(iexcl|#161);","/xa1", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,@"&(cent|#162);","/xa2", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,@"&(pound|#163);","/xa3", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,@"&(copy|#169);","/xa9", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,@"&#(/d+);","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"xp_cmdshell","", RegexOptions.IgnoreCase);
//删除与数据库相关的词Htmlstring=Regex.Replace(Htmlstring,"select","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"insert","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"delete from","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"count''","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"drop table","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"truncate","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"asc","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"mid","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"char","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"xp_cmdshell","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"exec master","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"net localgroup administrators","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"and","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"net user","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"or","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"net","", RegexOptions.IgnoreCase);
//Htmlstring = Regex.Replace(Htmlstring, "*", "", RegexOptions.IgnoreCase);Htmlstring=Regex.Replace(Htmlstring,"-","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"delete","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"drop","", RegexOptions.IgnoreCase);
Htmlstring=Regex.Replace(Htmlstring,"script","", RegexOptions.IgnoreCase);
//特殊的字符Htmlstring=Htmlstring.Replace("<","");
Htmlstring=Htmlstring.Replace(">","");
Htmlstring=Htmlstring.Replace("*","");
Htmlstring=Htmlstring.Replace("-","");
Htmlstring=Htmlstring.Replace("?","");
Htmlstring=Htmlstring.Replace("'","''");
Htmlstring=Htmlstring.Replace(",","");
Htmlstring=Htmlstring.Replace("/","");
Htmlstring=Htmlstring.Replace(";","");
Htmlstring=Htmlstring.Replace("*/","");
Htmlstring=Htmlstring.Replace("/r/n","");
Htmlstring=HttpContext.Current.Server.HtmlEncode(Htmlstring).Trim();
returnHtmlstring;
}
}
5.
publicstaticboolCheckBadWord(stringstr)
{
stringpattern=@"select|insert|delete|from|count/(|drop table|update|truncate|asc/(|mid/(|char/(|xp_cmdshell|exec master|netlocalgroup administrators|net user|or|and";
if(Regex.IsMatch(str, pattern, RegexOptions.IgnoreCase))
returntrue;
returnfalse;
}
publicstaticstringFilter(stringstr)
{
string[] pattern={"select","insert","delete","from","count//(","drop table","update","truncate","asc//(","mid//(","char//(","xp_cmdshell","exec master","netlocalgroup administrators","net user","or","and"};
for(inti=0; i<pattern.Length; i++)
{
str=str.Replace(pattern[i].ToString(),"");
}
returnstr;
}