标题: 防范qurestring方式的sql注入的一个方法
- zhangsir 2008-05-07 14:31 阅读:28
- 评论:1 查看评论 | 添加评论
public static string safeRequest(string str)
    {
        string outStr = null;
        object querStr = HttpContext.Current.Request.QueryString[str];
        if (querStr != null)
        {
            outStr = InputText(querStr.ToString(), 30);
            return outStr;
        }
        else
            return outStr;
    }
    public static string InputText(string inputString, int maxLength)
    {
        System.Text.StringBuilder retVal = new System.Text.StringBuilder();
        // check incoming parameters for null or blank string
        if ((inputString != null) && (inputString != String.Empty))
        {
            inputString = inputString.Trim();
            //op the string incase the client-side max length
            //fields are bypassed to prevent buffer over-runs
            if (inputString.Length > maxLength)
                inputString = inputString.Substring(0, maxLength);
            //convert some harmful symbols incase the regular
            //expression validators are changed
            for (int i = 0; i < inputString.Length; i++)
            {
                switch (inputString[i])
                {
                    case '"':
                        retVal.Append("&quot;");
                        break;
                    case '<':
                        retVal.Append("&lt;");
                        break;
                    case '>':
                        retVal.Append("&gt;");
                        break;
                    default:
                        retVal.Append(inputString[i]);
                        break;
                }
            }
            // Replace single quotes with white space
            retVal.Replace("'", " ");
            retVal.Replace(";", " ");
            retVal.Replace("insert", "");
            retVal.Replace("select", "");
            retVal.Replace("delete", "");
            retVal.Replace("update", "");
            retVal.Replace("drop", "");
            retVal.Replace("create", "");
            retVal.Replace("alter", "");
            retVal.Replace(" ", "20%");
            retVal.Replace("xp_cmdshell", "");
            retVal.Replace("xp_regaddmultistring", "");
            retVal.Replace("xp_regdeletekey", "");
            retVal.Replace("xp_regdeletevalue", "");
            retVal.Replace("xp_regenumkeys", "");
            retVal.Replace("xp_regenumvalues", "");
            retVal.Replace("xp_regread", "");
            retVal.Replace("xp_regremovemultistring", "");
            retVal.Replace("xp_regwrite", "");
            retVal.Replace("sp_OACreate", "");
            retVal.Replace("sp_OADestroy", "");
            retVal.Replace("sp_OAMethod", "");
            retVal.Replace("sp_OAGetProperty", "");
            retVal.Replace("sp_OASetProperty", "");
            retVal.Replace("sp_OAGetErrorInfo", "");
            retVal.Replace("sp_OAStop", "");
        }
        return retVal.ToString();
    }

查看评论 | 添加评论
返回顶部 | 返回首页