为了防止SQL注入,写了这么一个safety的方法(方法还是函数?)
我想怎么把提取到的值来传入到这个safety的字符串中,去执行呢?protected void Page_Load(object sender, EventArgs e)
{
string nid = Request.QueryString["id"].ToString();
}
public string safety(string sql)
{
sql = sql.Trim();
sql = sql.Replace("<", "");
sql = sql.Replace(">", "");
sql = sql.Replace(" ", "");
sql = sql.Replace("*", "");
sql = sql.Replace("'", "");
sql = sql.Replace("%", "");
//.........
return sql;
}下面是全页的代码using System;
using System.Data;
using System.Configuration;
using System.Collections;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;public partial class Nrong : System.Web.UI.Page
{
protected string sql;
protected Class my = new Class();
protected void Page_Load(object sender, EventArgs e)
{
string nid = Request.QueryString["id"].ToString();
sql = "select Nr,banzhu from Ances where Anid=" + nid;
DataTable dt = my.Sql_SelectTable(sql);
Label1.Text = dt.Rows[0][0].ToString();
Label2.Text = dt.Rows[0][1].ToString(); Session["NRs"] = Label1.Text;
Session["nid"] = nid;
bd(); if (Application["online"] == null || Application["online"] == "")
{
Label3.Visible = false;
}
else
{
this.Label3.Text = Application["online"].ToString();
}
}
public string safety(string sql)
{
sql = sql.Trim();
sql = sql.Replace("<", "");
sql = sql.Replace(">", "");
sql = sql.Replace(" ", "");
sql = sql.Replace("*", "");
sql = sql.Replace("'", "");
sql = sql.Replace("%", "");
//.........
return sql;
}
public void bd()
{
string nid = Request.QueryString["id"].ToString();
sql = "select * from post where anid="+nid+" order by youxianji desc";
DataTable dt = my.Sql_SelectTable(sql);
GridView1.DataSource = dt;
GridView1.DataBind();
} public void selphoto()
{
sql="update post set zttupian2='~/image/ztop.gif' where youxianji=4";
string sql1 = "update post set zttupian2='~/image/isbest.gif' where youxianji=3";
string sql2 = "update post set zttupian2='~/image/lockfolder.gif' where youxianji=2";
my.Sql_Dml(sql);
my.Sql_Dml(sql1);
my.Sql_Dml(sql2); }
}
我想怎么把提取到的值来传入到这个safety的字符串中,去执行呢?protected void Page_Load(object sender, EventArgs e)
{
string nid = Request.QueryString["id"].ToString();
}
public string safety(string sql)
{
sql = sql.Trim();
sql = sql.Replace("<", "");
sql = sql.Replace(">", "");
sql = sql.Replace(" ", "");
sql = sql.Replace("*", "");
sql = sql.Replace("'", "");
sql = sql.Replace("%", "");
//.........
return sql;
}下面是全页的代码using System;
using System.Data;
using System.Configuration;
using System.Collections;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;public partial class Nrong : System.Web.UI.Page
{
protected string sql;
protected Class my = new Class();
protected void Page_Load(object sender, EventArgs e)
{
string nid = Request.QueryString["id"].ToString();
sql = "select Nr,banzhu from Ances where Anid=" + nid;
DataTable dt = my.Sql_SelectTable(sql);
Label1.Text = dt.Rows[0][0].ToString();
Label2.Text = dt.Rows[0][1].ToString(); Session["NRs"] = Label1.Text;
Session["nid"] = nid;
bd(); if (Application["online"] == null || Application["online"] == "")
{
Label3.Visible = false;
}
else
{
this.Label3.Text = Application["online"].ToString();
}
}
public string safety(string sql)
{
sql = sql.Trim();
sql = sql.Replace("<", "");
sql = sql.Replace(">", "");
sql = sql.Replace(" ", "");
sql = sql.Replace("*", "");
sql = sql.Replace("'", "");
sql = sql.Replace("%", "");
//.........
return sql;
}
public void bd()
{
string nid = Request.QueryString["id"].ToString();
sql = "select * from post where anid="+nid+" order by youxianji desc";
DataTable dt = my.Sql_SelectTable(sql);
GridView1.DataSource = dt;
GridView1.DataBind();
} public void selphoto()
{
sql="update post set zttupian2='~/image/ztop.gif' where youxianji=4";
string sql1 = "update post set zttupian2='~/image/isbest.gif' where youxianji=3";
string sql2 = "update post set zttupian2='~/image/lockfolder.gif' where youxianji=2";
my.Sql_Dml(sql);
my.Sql_Dml(sql1);
my.Sql_Dml(sql2); }
}
解决方案 »
免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货