求一或若干Sql防注入函数 RT 解决方案 » 免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货 楼上对的,最好不要直接连接,而是加到参数里.sqlparameter,oledbparameter简单一点的办法是字符串替换.因为sql注入最危险的一个字符是'"语句".Replace("'","''");或者"语句".Replace("'",""); 替换为无推荐第一种方法. public static bool checkstring(string str) //危险码过滤 { string str2 = str; if (str == "" || str == null) { return false; } else { str = str.ToLower(); str = str.Replace("'", ""); str = str.Replace("-", ""); str = str.Replace("<", ""); str = str.Replace(">", ""); str = str.Replace("and", ""); str = str.Replace("or", ""); str = str.Replace("=", ""); str = str.Replace("%", ""); str = str.Replace("*", ""); str = str.Replace("?", ""); str = str.Replace("#", ""); str = str.Replace("~", ""); str = str.Replace("&", ""); str = str.Replace("^", ""); } if (str.Length == str2.Length) { return true; } else { return false; } }然后再输入框那直接调用函数即可if (ConBLL.checkstring(A_usernmae.Text) && ConBLL.checkstring(A_password1.Text)&&ConBLL.checkstring(A_password2.Text))//限制注入乱码 {hskfhsadfsffsfsafsadfsdafsadfsdf} 不管你用什么方法,只要封装了访问方式都可以防Sql防注入函数,比如存储过程;SqlParameter也行 #region 安全检测 /// <summary> /// SQL防注入(URL参数方式) /// select|update|insert|delete|declare|@|exec|dbcc|alter|drop|create|backup|if|else|end|and|or|add|set|open|close|use|begin|retun|as|go|exists /// </summary> public static void chkSql(string str, int Tips_mode, string ErrUrl) { string str_t = string.Empty; if (Tips_mode.ToString() == "") { Tips_mode = 1; //处理方式:1=提示信息,2=转向页面,3=先提示再转向 } if (ErrUrl == "") { ErrUrl = "Default.Aspx"; //出错时转向的页面 } if (str == "") { str = System.Web.HttpContext.Current.Request.ServerVariables["QUERY_STRING"]; } str_t = str.ToLower(); if (str_t.IndexOf("'") >= 0 || str_t.IndexOf(" or ") >= 0 || str_t.IndexOf(" and ") >= 0 || str_t.IndexOf("exec") >= 0 || str_t.IndexOf("select") >= 0 || str_t.IndexOf("update") >= 0 || str_t.IndexOf("chr") >= 0 || str_t.IndexOf("delete") >= 0 || str_t.IndexOf(";") >= 0 || str_t.IndexOf("insert") >= 0 || str_t.IndexOf("count") >= 0 || str_t.IndexOf("drop") >= 0 || str_t.IndexOf("and") >= 0 || str_t.IndexOf("truncate") >= 0 || str_t.IndexOf("shell") >= 0 || str_t.IndexOf("declare") >= 0 || str_t.IndexOf("@") >= 0 || str_t.IndexOf("declare") >= 0 || str_t.IndexOf("dbcc") >= 0 || str_t.IndexOf("alter") >= 0 || str_t.IndexOf("create") >= 0 || str_t.IndexOf("backup") >= 0 || str_t.IndexOf("if") >= 0 || str_t.IndexOf("else") >= 0 || str_t.IndexOf(" add ") >= 0 || str_t.IndexOf(" open ") >= 0 || str_t.IndexOf(" close ") >= 0 || str_t.IndexOf("begin") >= 0 || str_t.IndexOf("retun") >= 0 || str_t.IndexOf("exists") >= 0 || str_t.IndexOf("go ") >= 0 || str_t.IndexOf("as ") >= 0 ) { switch (Tips_mode) { case 1: System.Web.HttpContext.Current.Response.Write("<script Language=JavaScript>alert('出现错误!参数中包含非法字符串!');</script>"); System.Web.HttpContext.Current.Response.End(); break; case 2: System.Web.HttpContext.Current.Response.Write("<Script Language=JavaScript>location.href='" + ErrUrl + "'</Script>"); System.Web.HttpContext.Current.Response.End(); break; case 3: System.Web.HttpContext.Current.Response.Write("<Script Language=JavaScript>alert('出现错误!参数中包含非法字符串!');ocation.href='" + ErrUrl + "';</Script>"); System.Web.HttpContext.Current.Response.End(); break; } } } /// <summary> /// 表单内容提交检查非法字符 /// </summary> public static string chkSubmitData(string values) { if (values.Trim() != "") { values = values.Replace("'", "'").Replace("&", "&").Replace("%20", "").Replace("--", "").Replace("==", "").Replace("<", "").Replace(">", "").Replace("%", "%").Replace("script", "").Replace("/script", ""); } return values; } #endregion 1.使用存储过程2.private static string HTMLEncode(string fString) { if (fString != string.Empty) { //替换尖括号 fString.Replace("<", "<"); fString.Replace(">", "&rt"); //替换引号 fString.Replace(((char)34).ToString(), """); fString.Replace(((char)39).ToString(), "'"); //替换空格 fString.Replace(((char)13).ToString(), ""); //替换换行符 fString.Replace(((char)10).ToString(), "<BR> "); } return (fString); } 由于。net和asp混合编程,asp 中没Parameter非常感谢,晚上回去结贴 导出Excel突然出错 VS2008 自动关闭问题 关于treeview空件单击节点导航的问题 GridView单元格格式字符太长,能否保持宽度不换行显示? 服务端控件的效率比客户端控件差多少? 在javascript里怎么调用后台的数据库校验? 2005来啦!!!!!!!!!!兄弟们,2005你们都有啥打算呀? 为什么我的机器上面没有安装Microsoft.Web.UI.WebControls.TreeView,我想使用树形控件啊,怎么办呢 http 404错误 类型转换的问题 javascript css问题 【请教】鼠标悬停在一个TextBox上时,通过JS显示该文本
"语句".Replace("'","''");或者"语句".Replace("'",""); 替换为无推荐第一种方法.
{ string str2 = str;
if (str == "" || str == null)
{ return false; }
else
{
str = str.ToLower();
str = str.Replace("'", "");
str = str.Replace("-", "");
str = str.Replace("<", "");
str = str.Replace(">", "");
str = str.Replace("and", "");
str = str.Replace("or", "");
str = str.Replace("=", "");
str = str.Replace("%", "");
str = str.Replace("*", "");
str = str.Replace("?", "");
str = str.Replace("#", "");
str = str.Replace("~", "");
str = str.Replace("&", "");
str = str.Replace("^", "");
}
if (str.Length == str2.Length)
{ return true; }
else { return false; }
}
然后再输入框那直接调用函数即可
if (ConBLL.checkstring(A_usernmae.Text) && ConBLL.checkstring(A_password1.Text)&&ConBLL.checkstring(A_password2.Text))//限制注入乱码
{hskfhsadfsffsfsafsadfsdafsadfsdf
}
/// SQL防注入(URL参数方式)
/// select|update|insert|delete|declare|@|exec|dbcc|alter|drop|create|backup|if|else|end|and|or|add|set|open|close|use|begin|retun|as|go|exists
/// </summary>
public static void chkSql(string str, int Tips_mode, string ErrUrl)
{
string str_t = string.Empty;
if (Tips_mode.ToString() == "")
{
Tips_mode = 1; //处理方式:1=提示信息,2=转向页面,3=先提示再转向
}
if (ErrUrl == "")
{
ErrUrl = "Default.Aspx"; //出错时转向的页面
}
if (str == "")
{
str = System.Web.HttpContext.Current.Request.ServerVariables["QUERY_STRING"];
}
str_t = str.ToLower();
if (str_t.IndexOf("'") >= 0
|| str_t.IndexOf(" or ") >= 0
|| str_t.IndexOf(" and ") >= 0
|| str_t.IndexOf("exec") >= 0
|| str_t.IndexOf("select") >= 0
|| str_t.IndexOf("update") >= 0
|| str_t.IndexOf("chr") >= 0
|| str_t.IndexOf("delete") >= 0
|| str_t.IndexOf(";") >= 0
|| str_t.IndexOf("insert") >= 0
|| str_t.IndexOf("count") >= 0
|| str_t.IndexOf("drop") >= 0
|| str_t.IndexOf("and") >= 0
|| str_t.IndexOf("truncate") >= 0
|| str_t.IndexOf("shell") >= 0
|| str_t.IndexOf("declare") >= 0
|| str_t.IndexOf("@") >= 0
|| str_t.IndexOf("declare") >= 0
|| str_t.IndexOf("dbcc") >= 0
|| str_t.IndexOf("alter") >= 0
|| str_t.IndexOf("create") >= 0
|| str_t.IndexOf("backup") >= 0
|| str_t.IndexOf("if") >= 0
|| str_t.IndexOf("else") >= 0
|| str_t.IndexOf(" add ") >= 0
|| str_t.IndexOf(" open ") >= 0
|| str_t.IndexOf(" close ") >= 0
|| str_t.IndexOf("begin") >= 0
|| str_t.IndexOf("retun") >= 0
|| str_t.IndexOf("exists") >= 0
|| str_t.IndexOf("go ") >= 0
|| str_t.IndexOf("as ") >= 0
)
{
switch (Tips_mode)
{
case 1:
System.Web.HttpContext.Current.Response.Write("<script Language=JavaScript>alert('出现错误!参数中包含非法字符串!');</script>");
System.Web.HttpContext.Current.Response.End();
break;
case 2:
System.Web.HttpContext.Current.Response.Write("<Script Language=JavaScript>location.href='" + ErrUrl + "'</Script>");
System.Web.HttpContext.Current.Response.End();
break;
case 3:
System.Web.HttpContext.Current.Response.Write("<Script Language=JavaScript>alert('出现错误!参数中包含非法字符串!');ocation.href='" + ErrUrl + "';</Script>");
System.Web.HttpContext.Current.Response.End();
break;
}
} } /// <summary>
/// 表单内容提交检查非法字符
/// </summary>
public static string chkSubmitData(string values)
{
if (values.Trim() != "")
{
values = values.Replace("'", "'").Replace("&", "&").Replace("%20", "").Replace("--", "").Replace("==", "").Replace("<", "").Replace(">", "").Replace("%", "%").Replace("script", "").Replace("/script", "");
} return values;
} #endregion
2.private static string HTMLEncode(string fString)
{
if (fString != string.Empty)
{
//替换尖括号
fString.Replace("<", "<");
fString.Replace(">", "&rt");
//替换引号
fString.Replace(((char)34).ToString(), """);
fString.Replace(((char)39).ToString(), "'");
//替换空格
fString.Replace(((char)13).ToString(), "");
//替换换行符
fString.Replace(((char)10).ToString(), "<BR> ");
}
return (fString);
}
非常感谢,晚上回去结贴