本文介绍了一种简单的SQL注入防护方法,通过替换特定字符和敏感词汇来降低SQL注入攻击的风险。该方法适用于初步的安全防御。
#region SQL注入检验
///
/// SQL注入检验
///
/// 要检查的字符串
///
public static string SqlCheck(string txt_Checking)
{
//特殊字符
txt_Checking= txt_Checking.Replace("'", "");
txt_Checking = txt_Checking.Replace("/"", "");
txt_Checking = txt_Checking.Replace("=", "");
txt_Checking = txt_Checking.Replace(":", "");
txt_Checking = txt_Checking.Replace("#", "");
txt_Checking = txt_Checking.Replace("@", "");
txt_Checking = txt_Checking.Replace(";", "");
txt_Checking = txt_Checking.Replace("%", "");
txt_Checking = txt_Checking.Replace("*", "");
//特殊词 select or and join out delete update
// net user
//xp_cmdshell
//add
//exec master.dbo.xp_cmdshell
//net localgroup administrators
//select
//count
//Asc
//char
//mid
//insert
//delete from
//drop table
//update
//truncate
//from
//%
string [] swap=new string []
{
"select","or","and","join","out","delete","update","where","insert","from","asc","char","count",
"mid","net","exec","net localgroup","user"
};
for (int i = 0; i < swap.Length; i++)
{
if (Regex.IsMatch(txt_Checking, swap[i], RegexOptions.IgnoreCase|RegexOptions.IgnorePatternWhitespace))
{
txt_Checking = Regex.Replace(txt_Checking, swap[i], "", RegexOptions.IgnoreCase | RegexOptions.IgnorePatternWhitespace);
//txt_Checking = txt_Checking.Replace(swap[i], "");
}
}
return txt_Checking.ToString();
}
#endregion自己写的,如果有什么不对的地方请留言指教!
本文来自优快云博客,转载请标明出处:http://blog.youkuaiyun.com/swort_177/archive/2008/07/30/2739114.aspx
扫一扫
1378
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
