过滤SQL关键字,防止SQL注入

定义一个方法进行关键字的过滤,方法中使用正则表达式过滤:

///
        /// 过滤字符串中注入SQL脚本的方法
        ///
        ///传入的字符串
        ///过滤后的字符串
        private static string SqlFilters(string source)
        {
            
            //半角括号替换为全角括号
            source = source.Replace("'", "'''");
            //去除执行SQL语句的命令关键字
            source = Regex.Replace(source, "select", "", RegexOptions.IgnoreCase);
            source = Regex.Replace(source, "insert", "", RegexOptions.IgnoreCase);
            source = Regex.Replace(source, "update", "", RegexOptions.IgnoreCase);
            source = Regex.Replace(source, "delete", "", RegexOptions.IgnoreCase);
            source = Regex.Replace(source, "drop", "", RegexOptions.IgnoreCase);
            source = Regex.Replace(source, "truncate", "", RegexOptions.IgnoreCase);
            source = Regex.Replace(source, "declare", "", RegexOptions.IgnoreCase);
            source = Regex.Replace(source, "xp_cmdshell", "", RegexOptions.IgnoreCase);
            source = Regex.Replace(source, "/add", "", RegexOptions.IgnoreCase);
            source = Regex.Replace(source, "net user", "", RegexOptions.IgnoreCase);
            //去除执行存储过程的命令关键字 
            source = Regex.Replace(source, "exec", "", RegexOptions.IgnoreCase);
            source = Regex.Replace(source, "execute", "", RegexOptions.IgnoreCase);
            //去除系统存储过程或扩展存储过程关键字
            source = Regex.Replace(source, "xp_", "x p_", RegexOptions.IgnoreCase);
            source = Regex.Replace(source, "sp_", "s p_", RegexOptions.IgnoreCase);
            //防止16进制注入
            source = Regex.Replace(source, "0x", "0 x", RegexOptions.IgnoreCase);
            return source;
        }

当然也可以添加自己想要的过滤正则,下面加入一个方法调用并返回过滤后的字符串:

///
        /// 防注入过滤函数
        ///
        ///需要过滤字符串
        ///过滤后的字符串
        public static string Filter(string inputString)
        {
            if (inputString != ""&&inputString!=null)
            {
                string sql = SqlFilters(inputString);
                if (sql == "")
                {
                    sql = "敏感字符";
                }
                return sql;
            }
            else
            {
                return inputString;
            }
        }

在我们做web开发的过程中,Web安全问题一直都是最大的隐患,互联网的繁荣离不开网络安全,这是我们的机遇也是我们的挑战。

你可能感兴趣的:(C#,SQL,MySQL)