调试易

我自己一直是这么写的，希望对你有启发
#region 过滤字符
        /// <summary>
        /// 具体情况来定要过滤的字符
        /// </summary>
        /// <param name="param">要过滤的字符</param>
        public static string CheckSaftParam(string param)
        {            param = param.Replace("net user", "");
            param = param.Replace("xp_cmdshell", "");
            param = param.Replace("/add", "");
            param = param.Replace("exec%20master.dbo.xp_cmdshell", "");
            param = param.Replace("net localgroup administrators", "");
            param = param.Replace("select", "");
            param = param.Replace("'", "''");
            param = param.Replace("insert", "");
            param = param.Replace("delete", "");
            param = param.Replace("drop", "");
            param = param.Replace("truncate", "");
            param = param.Replace("from", "");
            param = param.Replace("%", "");
            param = param.Replace("%20", "");            return param;
        }
        #endregion

很多啊   比如关键字"detele","update","insert"
之类的

过滤了关键字以后，还可以建立一个DDL得触发器，这样的话对表或数据库的危险的操作都可以不让执行

出错?怎么才能出错呢,就是人家比如在浏览器上注入的时候报错呢
不是单指说我在文本框中输入',select,drop不报错就ok了

str = str.Replace(";","").Replace("*","").Replace("'","").Replace("&","").Replace(" ","").Replace("%20","").Replace("--","").Replace("==","").Replace("<","").Replace(">","").Replace("%","").Replace("nchar","").Replace("select","").Replace("update","").Replace("insert","").Replace("create","").Replace("drop","").Replace("delete","");