本文介绍了两种防止SQL注入的方法:使用SqlParameter传递参数和对输入字符串进行关键字过滤。通过实例展示了如何实现过滤处理,并提供了具体的代码实现。
第一种方法:
1.所有传入的Sql参数统统都用SqlParameter来写.
第二种方法
1.对所有要传入的参数做Sql关键字符过滤.
用法:
string strSql = "select * from UserInfo where UID = {0}";
strSql = FormatSql(strSql,tbUID.Text);
/// <summary>
/// Sql语句过滤处理类
/// </summary>
public static class SqlFilter
{
/// <summary>
/// 过滤Sql注入的字符
/// </summary>
/// <param name="sqlCondition">要过滤的Sql数据 </param>
/// <returns> </returns>
public static string FilterInjection(string sqlCondition)
{
if (sqlCondition.Trim() != string.Empty)
sqlCondition = sqlCondition.Trim();
sqlCondition = sqlCondition.Replace("''", "");
sqlCondition = sqlCondition.Replace("'", "''");
sqlCondition = sqlCondition.Replace("_", @"\_");
sqlCondition = sqlCondition.Replace("%", @"\%");
return sqlCondition;
}
public static string AddEsCape(string strSql, string sqlCondition)
{
string m_ReturnSql = string.Empty;
if (sqlCondition.Contains(@"\%") || sqlCondition.Contains(@"\_"))
{
m_ReturnSql = string.Format(strSql, sqlCondition) + @" escape '\' ";
}
else
{
m_ReturnSql = string.Format(strSql, sqlCondition);
}
return m_ReturnSql;
}
public static string FormatSql(string strSql, string sqlCondition)
{
string m_Condition = FilterInjection(sqlCondition);
if (string.IsNullOrEmpty(m_Condition))
{
return string.Empty;
}
else
{
return AddEsCape(strSql, m_Condition);
}
}
}
转载于:https://www.cnblogs.com/feinian/archive/2009/03/18/1415395.html
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
