定义一个方法进行关键字的过滤,方法中使用正则表达式过滤:
///<summary>
/// 过滤字符串中注入SQL脚本的方法
///</summary>
///<param name="source">传入的字符串</param>
///<returns>过滤后的字符串</returns>
private static string SqlFilters(string source)
{
//半角括号替换为全角括号
source = ("'", "'''");
//去除执行SQL语句的命令关键字
source = (source, "select", "", );
source = (source, "insert", "", );
source = (source, "update", "", );
source = (source, "delete", "", );
source = (source, "drop", "", );
source = (source, "truncate", "", );
source = (source, "declare", "", );
source = (source, "xp_cmdshell", "", );
source = (source, "/add", "", );
source = (source, "net user", "", );
//去除执行存储过程的命令关键字
source = (source, "exec", "", );
source = (source, "execute", "", );
//去除系统存储过程或扩展存储过程关键字
source = (source, "xp_", "x p_", );
source = (source, "sp_", "s p_", );
//防止16进制注入
source = (source, "0x", "0 x", );
return source;
}当然也可以添加自己想要的过滤正则,下面加入一个方法调用并返回过滤后的字符串:
///<summary>
/// 防注入过滤函数
///</summary>
///<param name="inputString">需要过滤字符串</param>
///<returns>过滤后的字符串</returns>
public static string Filter(string inputString)
{
if (inputString != ""&&inputString!=null)
{
string sql = SqlFilters(inputString);
if (sql == "")
{
sql = "敏感字符";
}
return sql;
}
else
{
return inputString;
}
}在我们做web开发的过程中,Web安全问题一直都是最大的隐患,互联网的繁荣离不开网络安全,这是我们的机遇也是我们的挑战。