C#实现过滤sql特殊字符的方法集合

本文实例讲述了C#实现过滤sql特殊字符的方法集合。分享给大家供大家参考，具体如下：

1.

?

/// <summary>

/// 过滤不安全的字符串

/// </summary>

/// <param name="Str"></param>

/// <returns></returns>

public static string FilteSQLStr( string Str)

{

   Str = Str.Replace( "'" , "" );

   Str = Str.Replace( "\"" , "" );

   Str = Str.Replace( "&" , "&amp" );

   Str = Str.Replace( "<" , "&lt" );

   Str = Str.Replace( ">" , "&gt" );

   Str = Str.Replace( "delete" , "" );

   Str = Str.Replace( "update" , "" );

   Str = Str.Replace( "insert" , "" );

   return Str;

}

2.

?

#region 过滤 Sql 语句字符串中的注入脚本

/// <summary>

/// 过滤 Sql 语句字符串中的注入脚本

/// </summary>

/// <param name="source">传入的字符串</param>

/// <returns>过滤后的字符串</returns>

public static string SqlFilter( string source)

{

  //单引号替换成两个单引号

  source = source.Replace( "'" , "''" );

  //半角封号替换为全角封号，防止多语句执行

  source = source.Replace( ";" , "；" );

  //半角括号替换为全角括号

  source = source.Replace( "(" , "（" );

  source = source.Replace( ")" , "）" );

  ///////////////要用正则表达式替换，防止字母大小写得情况////////////////////

  //去除执行存储过程的命令关键字

  source = source.Replace( "Exec" , "" );

  source = source.Replace( "Execute" , "" );

  //去除系统存储过程或扩展存储过程关键字

  source = source.Replace( "xp_" , "x p_" );

  source = source.Replace( "sp_" , "s p_" );

  //防止16进制注入

  source = source.Replace( "0x" , "0 x" );

  return source;

}

#endregion

3.

?

/// 过滤SQL字符。

/// </summary>

/// <param name="str">要过滤SQL字符的字符串。</param>

/// <returns>已过滤掉SQL字符的字符串。</returns>

public static string ReplaceSQLChar( string str)

{

  if (str == String.Empty)

   return String.Empty; str = str.Replace( "'" , "‘" );

  str = str.Replace( ";" , "；" );

  str = str.Replace( "," , "," );

  str = str.Replace( "?" , "?" );

  str = str.Replace( "<" , "＜" );

  str = str.Replace( ">" , "＞" );

  str = str.Replace( "(" , "(" );

  str = str.Replace( ")" , ")" );

  str = str.Replace( "@" , "＠" );

  str = str.Replace( "=" , "＝" );

  str = str.Replace( "+" , "＋" );

  str = str.Replace( "*" , "＊" );

  str = str.Replace( "&" , "＆" );

  str = str.Replace( "#" , "＃" );

  str = str.Replace( "%" , "％" );

  str = str.Replace( "$" , "￥" );

  return str;

}

4.

?

/// <summary>

/// 过滤标记

/// </summary>

/// <param name="NoHTML">包括HTML，脚本，数据库关键字，特殊字符的源码 </param>

/// <returns>已经去除标记后的文字</returns>

public string NoHtml( string Htmlstring)

{

  if (Htmlstring == null )

  {

   return "" ;

  }

  else

  {

   //删除脚本

    Htmlstring = Regex.Replace(Htmlstring, @"<script[^>]*?>.*?</script>" , "" , RegexOptions.IgnoreCase);

   //删除HTML

   Htmlstring = Regex.Replace(Htmlstring, @"<(.[^>]*)>" , "" , RegexOptions.IgnoreCase);

   Htmlstring = Regex.Replace(Htmlstring, @"([\r\n])[\s]+" , "" , RegexOptions.IgnoreCase);

   Htmlstring = Regex.Replace(Htmlstring, @"-->" , "" , RegexOptions.IgnoreCase);

   Htmlstring = Regex.Replace(Htmlstring, @"<!--.*" , "" , RegexOptions.IgnoreCase);

   Htmlstring = Regex.Replace(Htmlstring, @"&(quot|#34);" , "\"" , RegexOptions.IgnoreCase);

   Htmlstring = Regex.Replace(Htmlstring, @"&(amp|#38);" , "&" , RegexOptions.IgnoreCase);

   Htmlstring = Regex.Replace(Htmlstring, @"&(lt|#60);" , "<" , RegexOptions.IgnoreCase);

   Htmlstring = Regex.Replace(Htmlstring, @"&(gt|#62);" , ">" , RegexOptions.IgnoreCase);

   Htmlstring = Regex.Replace(Htmlstring, @"&(nbsp|#160);" , " " , RegexOptions.IgnoreCase);

   Htmlstring = Regex.Replace(Htmlstring, @"&(iexcl|#161);" , "\xa1" , RegexOptions.IgnoreCase);

   Htmlstring = Regex.Replace(Htmlstring, @"&(cent|#162);" , "\xa2" , RegexOptions.IgnoreCase);

   Htmlstring = Regex.Replace(Htmlstring, @"&(pound|#163);" , "\xa3" , RegexOptions.IgnoreCase);

   Htmlstring = Regex.Replace(Htmlstring, @"&(copy|#169);" , "\xa9" , RegexOptions.IgnoreCase);

   Htmlstring = Regex.Replace(Htmlstring, @"&#(\d+);" , "" , RegexOptions.IgnoreCase);

   Htmlstring = Regex.Replace(Htmlstring, "xp_cmdshell" , "" , RegexOptions.IgnoreCase);

   //删除与数据库相关的词

   Htmlstring = Regex.Replace(Htmlstring, "select" , "" , RegexOptions.IgnoreCase);

   Htmlstring = Regex.Replace(Htmlstring, "insert" , "" , RegexOptions.IgnoreCase);

   Htmlstring = Regex.Replace(Htmlstring, "delete from" , "" , RegexOptions.IgnoreCase);

   Htmlstring = Regex.Replace(Htmlstring, "count''" , "" , RegexOptions.IgnoreCase);

   Htmlstring = Regex.Replace(Htmlstring, "drop table" , "" , RegexOptions.IgnoreCase);

   Htmlstring = Regex.Replace(Htmlstring, "truncate" , "" , RegexOptions.IgnoreCase);

   Htmlstring = Regex.Replace(Htmlstring, "asc" , "" , RegexOptions.IgnoreCase);

   Htmlstring = Regex.Replace(Htmlstring, "mid" , "" , RegexOptions.IgnoreCase);

   Htmlstring = Regex.Replace(Htmlstring, "char" , "" , RegexOptions.IgnoreCase);

   Htmlstring = Regex.Replace(Htmlstring, "xp_cmdshell" , "" , RegexOptions.IgnoreCase);

   Htmlstring = Regex.Replace(Htmlstring, "exec master" , "" , RegexOptions.IgnoreCase);

   Htmlstring = Regex.Replace(Htmlstring, "net localgroup administrators" , "" , RegexOptions.IgnoreCase);

   Htmlstring = Regex.Replace(Htmlstring, "and" , "" , RegexOptions.IgnoreCase);

   Htmlstring = Regex.Replace(Htmlstring, "net user" , "" , RegexOptions.IgnoreCase);

   Htmlstring = Regex.Replace(Htmlstring, "or" , "" , RegexOptions.IgnoreCase);

   Htmlstring = Regex.Replace(Htmlstring, "net" , "" , RegexOptions.IgnoreCase);

   //Htmlstring = Regex.Replace(Htmlstring, "*", "", RegexOptions.IgnoreCase);

   Htmlstring = Regex.Replace(Htmlstring, "-" , "" , RegexOptions.IgnoreCase);

   Htmlstring = Regex.Replace(Htmlstring, "delete" , "" , RegexOptions.IgnoreCase);

   Htmlstring = Regex.Replace(Htmlstring, "drop" , "" , RegexOptions.IgnoreCase);

   Htmlstring = Regex.Replace(Htmlstring, "script" , "" , RegexOptions.IgnoreCase);

   //特殊的字符

    Htmlstring = Htmlstring.Replace( "<" , "" );

   Htmlstring = Htmlstring.Replace( ">" , "" );

   Htmlstring = Htmlstring.Replace( "*" , "" );

   Htmlstring = Htmlstring.Replace( "-" , "" );

   Htmlstring = Htmlstring.Replace( "?" , "" );

   Htmlstring = Htmlstring.Replace( "'" , "''" );

   Htmlstring = Htmlstring.Replace( "," , "" );

   Htmlstring = Htmlstring.Replace( "/" , "" );

   Htmlstring = Htmlstring.Replace( ";" , "" );

   Htmlstring = Htmlstring.Replace( "*/" , "" );

   Htmlstring = Htmlstring.Replace( "\r\n" , "" );

   Htmlstring = HttpContext.Current.Server.HtmlEncode(Htmlstring).Trim();

   return Htmlstring;

  }

}

5.

?

public static bool CheckBadWord( string str)

{

string pattern = @"select|insert|delete|from|count\(|drop table|update|truncate|asc\(|mid\(|char\(|xp_cmdshell|exec master|netlocalgroup administrators|net user|or|and" ;

if (Regex.IsMatch(str, pattern, RegexOptions.IgnoreCase))

return true ;

return false ;

}

public static string Filter( string str)

{

string [] pattern ={ "select" , "insert" , "delete" , "from" , "count\\(" , "drop table" , "update" , "truncate" , "asc\\(" , "mid\\(" , "char\\(" , "xp_cmdshell" , "exec master" , "netlocalgroup administrators" , "net user" , "or" , "and" };

for ( int i = 0; i < pattern.Length; i++)

{

str = str.Replace(pattern[i].ToString(), "" );

}

return str;

}

希望本文所述对大家C#程序设计有所帮助。

dy("nrwz");

查看更多关于C#实现过滤sql特殊字符的方法集合的详细内容...