public static string MyDecodeOutputString(string outputstring)
{
//要替换的敏感字
string SqlStr = @"and|or|exec|execute|insert|select|delete|update|alter|create|drop|count|\*|chr|char|asc|mid|substring|master|truncate|declare|xp_cmdshell|restore|backup|net +user|net +localgroup +administrators";
try
{
if ((outputstring != null) && (outputstring != String.Empty))
{
string str_Regex = @"\[\b(" + SqlStr + @")\b\]";
Regex Regex = new Regex(str_Regex, RegexOptions.IgnoreCase);
MatchCollection matches = Regex.Matches(outputstring);
for (int i = 0; i < matches.Count; i++)
outputstring = outputstring.Replace(matches[i].Value, matches[i].Value.Substring(1, matches[i].Value.Length - 2)); }
}
catch
{
return "";
}
return outputstring;
}这个方法。我测试MyDecodeOutputString("and");他这么就直接返回给我了啊。
根本没有验证到。请问是哪点的问题啊。
{
//要替换的敏感字
string SqlStr = @"and|or|exec|execute|insert|select|delete|update|alter|create|drop|count|\*|chr|char|asc|mid|substring|master|truncate|declare|xp_cmdshell|restore|backup|net +user|net +localgroup +administrators";
try
{
if ((outputstring != null) && (outputstring != String.Empty))
{
string str_Regex = @"\[\b(" + SqlStr + @")\b\]";
Regex Regex = new Regex(str_Regex, RegexOptions.IgnoreCase);
MatchCollection matches = Regex.Matches(outputstring);
for (int i = 0; i < matches.Count; i++)
outputstring = outputstring.Replace(matches[i].Value, matches[i].Value.Substring(1, matches[i].Value.Length - 2)); }
}
catch
{
return "";
}
return outputstring;
}这个方法。我测试MyDecodeOutputString("and");他这么就直接返回给我了啊。
根本没有验证到。请问是哪点的问题啊。
你这样当是字符串是and 1=1可以匹配到and
当是where and 这样就匹配不到and了
and|nd|d
这3个关键词。你的表达式即便正确也无法分别出来。而前后加[和]也是多余的。
不过我测试了下可以! string str = "where and sss";
string SqlStr = @"and|or|exec|execute|insert|select|delete|update|alter|create|drop|count|\*|chr|char|asc|mid|substring|master|truncate|declare|xp_cmdshell|restore|backup|net +user|net +localgroup +administrators";
Regex regex = new Regex(@"\b" + SqlStr + "\b");
MatchCollection match = regex.Matches(str);
for (int i = 0; i < match.Count; i++)
{
Console.Write(match[i].Value+"\n");
Console.Write(str.Replace(match[i].Value, match[i].Value.Substring(1, match[i].Value.Length - 2)));
Console.Read();
}
static void Main(string[] args)
{
Console.WriteLine(MyDecodeOutputString("where and sss"));
Console.ReadKey();
}public static string MyDecodeOutputString(string outputstring)
{
//要替换的敏感字
const string SqlStr = @"and|or|exec|execute|insert|select|delete|update|alter|create|drop|count|\*|chr|char|asc|mid|substring|master|truncate|declare|xp_cmdshell|restore|backup|net +user|net +localgroup +administrators";
try
{
if ((outputstring != null) && (outputstring != String.Empty))
{
Regex regExp = new Regex("\\b(?:" + SqlStr + ")\\b", RegexOptions.IgnoreCase | RegexOptions.Compiled);
outputstring = regExp.Replace(outputstring, "");//去掉整个关键字
//outputstring = regExp.Replace(outputstring, delegate(Match m) { return m.Length > 2 ? m.Value.Substring(1, m.Length - 2) : m.Value; });//按你的写法,去掉关键字的前2个字符
}
}
catch
{
return "";
}
return outputstring;
}