asp.net的sql防注入代码

发布时间:2020-03-21编辑:脚本学堂
本文介绍下,在asp.net编程,如何防范sql注入的一段代码,有需要的朋友,不妨参考下。

代码如下,具体实现思路,大家看下注释吧。
 

复制代码 代码示例:

/// <summary>
/// 过滤标记 www.jb200.com
/// </summary>
/// <param name="NoHTML">包括HTML,脚本数据库关键字,特殊字符的源码 </param>
/// <returns>已经去除标记后的文字</returns>
public static string NoHTML(string Htmlstring)
{
    if (Htmlstring == null)
    {
       return "";
    }
    else
    {
     //删除脚本
     Htmlstring = Regex.Replace(Htmlstring, @"<script[^>]*?>.*?</script>", "", RegexOptions.IgnoreCase);
     //删除HTML
     Htmlstring = Regex.Replace(Htmlstring, @"<(.[^>]*)>", "", RegexOptions.IgnoreCase);
     Htmlstring = Regex.Replace(Htmlstring, @"([/r/n])[/s]+", "", RegexOptions.IgnoreCase);
     Htmlstring = Regex.Replace(Htmlstring, @"-->", "", RegexOptions.IgnoreCase);
     Htmlstring = Regex.Replace(Htmlstring, @"<!--.*", "", RegexOptions.IgnoreCase);

     Htmlstring = Regex.Replace(Htmlstring, @"&(quot|#34);", "/"", RegexOptions.IgnoreCase);
     Htmlstring = Regex.Replace(Htmlstring, @"&(amp|#38);", "&", RegexOptions.IgnoreCase);
     Htmlstring = Regex.Replace(Htmlstring, @"&(lt|#60);", "<", RegexOptions.IgnoreCase);
     Htmlstring = Regex.Replace(Htmlstring, @"&(gt|#62);", ">", RegexOptions.IgnoreCase);
     Htmlstring = Regex.Replace(Htmlstring, @"&(nbsp|#160);", " ", RegexOptions.IgnoreCase);
     Htmlstring = Regex.Replace(Htmlstring, @"&(iexcl|#161);", "/xa1", RegexOptions.IgnoreCase);
     Htmlstring = Regex.Replace(Htmlstring, @"&(cent|#162);", "/xa2", RegexOptions.IgnoreCase);
     Htmlstring = Regex.Replace(Htmlstring, @"&(pound|#163);", "/xa3", RegexOptions.IgnoreCase);
     Htmlstring = Regex.Replace(Htmlstring, @"&(copy|#169);", "/xa9", RegexOptions.IgnoreCase);
     Htmlstring = Regex.Replace(Htmlstring, @"&#(/d+);", "", RegexOptions.IgnoreCase);
     Htmlstring = Regex.Replace(Htmlstring, "xp_cmdshell", "", RegexOptions.IgnoreCase);

     //删除与数据库相关的词
     Htmlstring = Regex.Replace(Htmlstring, "select", "", RegexOptions.IgnoreCase);
     Htmlstring = Regex.Replace(Htmlstring, "insert", "", RegexOptions.IgnoreCase);
     Htmlstring = Regex.Replace(Htmlstring, "delete from", "", RegexOptions.IgnoreCase);
     Htmlstring = Regex.Replace(Htmlstring, "count''", "", RegexOptions.IgnoreCase);
     Htmlstring = Regex.Replace(Htmlstring, "drop table", "", RegexOptions.IgnoreCase);
     Htmlstring = Regex.Replace(Htmlstring, "truncate", "", RegexOptions.IgnoreCase);
     Htmlstring = Regex.Replace(Htmlstring, "asc", "", RegexOptions.IgnoreCase);
     Htmlstring = Regex.Replace(Htmlstring, "mid", "", RegexOptions.IgnoreCase);
     Htmlstring = Regex.Replace(Htmlstring, "char", "", RegexOptions.IgnoreCase);
     Htmlstring = Regex.Replace(Htmlstring, "xp_cmdshell", "", RegexOptions.IgnoreCase);
     Htmlstring = Regex.Replace(Htmlstring, "exec master", "", RegexOptions.IgnoreCase);
     Htmlstring = Regex.Replace(Htmlstring, "net localgroup administrators", "", RegexOptions.IgnoreCase);
     Htmlstring = Regex.Replace(Htmlstring, "and", "", RegexOptions.IgnoreCase);
     Htmlstring = Regex.Replace(Htmlstring, "net user", "", RegexOptions.IgnoreCase);
     Htmlstring = Regex.Replace(Htmlstring, "or", "", RegexOptions.IgnoreCase);
     Htmlstring = Regex.Replace(Htmlstring, "net", "", RegexOptions.IgnoreCase);
     //Htmlstring =  Regex.Replace(Htmlstring,"*", "", RegexOptions.IgnoreCase);
     //Htmlstring =  Regex.Replace(Htmlstring,"-", "", RegexOptions.IgnoreCase);
     Htmlstring = Regex.Replace(Htmlstring, "delete", "", RegexOptions.IgnoreCase);
     Htmlstring = Regex.Replace(Htmlstring, "drop", "", RegexOptions.IgnoreCase);
     Htmlstring = Regex.Replace(Htmlstring, "script", "", RegexOptions.IgnoreCase);

     //特殊的字符
     Htmlstring = Htmlstring.Replace("<", "");
     Htmlstring = Htmlstring.Replace(">", "");
     Htmlstring = Htmlstring.Replace("*", "");
     Htmlstring = Htmlstring.Replace("-", "");
     Htmlstring = Htmlstring.Replace("?", "");
     Htmlstring = Htmlstring.Replace(",", "");
     Htmlstring = Htmlstring.Replace("/", "");
     Htmlstring = Htmlstring.Replace(";", "");
     Htmlstring = Htmlstring.Replace("*/", "");
     Htmlstring = Htmlstring.Replace("/r/n", "");
     Htmlstring = HttpContext.Current.Server.HtmlEncode(Htmlstring).Trim();

     return Htmlstring;
        }

    }