sqlserver sql注入过滤帮助类
Posted 棉晗榜
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了sqlserver sql注入过滤帮助类相关的知识,希望对你有一定的参考价值。
//创建时间:2022-1-12 17:30:06
//作者:XXX
//功用:SQL注入过滤,过滤传入字符串中的非法字符
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
namespace WebInfoFormReport.Model.Tool
/// <summary>
/// SQL注入过滤
/// </summary>
public static class SqlFilter
/// <summary>
/// SQL注入过滤,过滤掉特殊字符串
/// </summary>
/// <param name="sqlParameter">参数</param>
/// <returns>返回过滤后的字符串</returns>
public static string QueryParameterFilter(this string sqlParameter)
sqlParameter= sqlParameter.Trim();
sqlParameter = sqlParameter.Replace("--", "", StringComparison.OrdinalIgnoreCase);
sqlParameter = sqlParameter.Replace("'", "", StringComparison.OrdinalIgnoreCase);
sqlParameter = sqlParameter.Replace("@@", "", StringComparison.OrdinalIgnoreCase);
sqlParameter = sqlParameter.Replace("^", "", StringComparison.OrdinalIgnoreCase);
sqlParameter = sqlParameter.Replace("<", "", StringComparison.OrdinalIgnoreCase);
sqlParameter = sqlParameter.Replace(">", "", StringComparison.OrdinalIgnoreCase);
//操作
sqlParameter = sqlParameter.Replace("delete", "", StringComparison.OrdinalIgnoreCase);
sqlParameter = sqlParameter.Replace("drop", "", StringComparison.OrdinalIgnoreCase);
sqlParameter = sqlParameter.Replace("exec", "", StringComparison.OrdinalIgnoreCase);
sqlParameter = sqlParameter.Replace("create", "", StringComparison.OrdinalIgnoreCase);
sqlParameter = sqlParameter.Replace("union", "", StringComparison.OrdinalIgnoreCase);
sqlParameter = sqlParameter.Replace("select", "", StringComparison.OrdinalIgnoreCase);
sqlParameter = sqlParameter.Replace("execute", "", StringComparison.OrdinalIgnoreCase);
sqlParameter = sqlParameter.Replace("backup", "", StringComparison.OrdinalIgnoreCase);
//命令
sqlParameter = sqlParameter.Replace("xp_", "", StringComparison.OrdinalIgnoreCase);
sqlParameter = sqlParameter.Replace("sp_", "", StringComparison.OrdinalIgnoreCase);
sqlParameter = sqlParameter.Replace("db_", "", StringComparison.OrdinalIgnoreCase);
sqlParameter = sqlParameter.Replace("is_", "", StringComparison.OrdinalIgnoreCase);
sqlParameter = sqlParameter.Replace("host_", "", StringComparison.OrdinalIgnoreCase);
//表
sqlParameter = sqlParameter.Replace("sysdatabases", "", StringComparison.OrdinalIgnoreCase);
sqlParameter = sqlParameter.Replace("sysobjects", "", StringComparison.OrdinalIgnoreCase);
sqlParameter = sqlParameter.Replace("syscolumns", "", StringComparison.OrdinalIgnoreCase);
sqlParameter = sqlParameter.Replace("tempdb", "", StringComparison.OrdinalIgnoreCase);
//函数
sqlParameter = sqlParameter.Replace("asc", "", StringComparison.OrdinalIgnoreCase);
sqlParameter = sqlParameter.Replace("abc", "", StringComparison.OrdinalIgnoreCase);
sqlParameter = sqlParameter.Replace("unicode", "", StringComparison.OrdinalIgnoreCase);
sqlParameter = sqlParameter.Replace("nchar", "", StringComparison.OrdinalIgnoreCase);
sqlParameter = sqlParameter.Replace("substring", "", StringComparison.OrdinalIgnoreCase);
sqlParameter = sqlParameter.Replace("use", "", StringComparison.OrdinalIgnoreCase);
sqlParameter = sqlParameter.Replace("count", "", StringComparison.OrdinalIgnoreCase);
sqlParameter = sqlParameter.Replace("len", "", StringComparison.OrdinalIgnoreCase);
sqlParameter = sqlParameter.Replace("ascii", "", StringComparison.OrdinalIgnoreCase);
sqlParameter = sqlParameter.Replace("cast", "", StringComparison.OrdinalIgnoreCase);
sqlParameter = sqlParameter.Replace("exists", "", StringComparison.OrdinalIgnoreCase);
//sqlParameter = sqlParameter.Replace("is_member", "", StringComparison.OrdinalIgnoreCase);
//sqlParameter = sqlParameter.Replace("is_srvrolemember", "", StringComparison.OrdinalIgnoreCase);
//关键词
//sqlParameter = sqlParameter.Replace("and", "", StringComparison.OrdinalIgnoreCase);
//sqlParameter = sqlParameter.Replace("where", "", StringComparison.OrdinalIgnoreCase);
sqlParameter = sqlParameter.Replace("xtype", "", StringComparison.OrdinalIgnoreCase);
//sqlParameter = sqlParameter.Replace("inner", "", StringComparison.OrdinalIgnoreCase);
//sqlParameter = sqlParameter.Replace("join", "", StringComparison.OrdinalIgnoreCase);
//sqlParameter = sqlParameter.Replace("output ", "", StringComparison.OrdinalIgnoreCase);
//sqlParameter = sqlParameter.Replace("with", "", StringComparison.OrdinalIgnoreCase);
sqlParameter = sqlParameter.Replace("master", "", StringComparison.OrdinalIgnoreCase);
sqlParameter = sqlParameter.Replace("truncate", "", StringComparison.OrdinalIgnoreCase);
sqlParameter = sqlParameter.Replace("declare", "", StringComparison.OrdinalIgnoreCase);
//sqlParameter = sqlParameter.Replace("array", "", StringComparison.OrdinalIgnoreCase);
//sqlParameter = sqlParameter.Replace("alter", "", StringComparison.OrdinalIgnoreCase);
sqlParameter = sqlParameter.Replace("database", "", StringComparison.OrdinalIgnoreCase);
//sqlParameter = sqlParameter.Replace("set", "", StringComparison.OrdinalIgnoreCase);
//sqlParameter = sqlParameter.Replace("dbid", "", StringComparison.OrdinalIgnoreCase);
//sqlParameter = sqlParameter.Replace("top", "", StringComparison.OrdinalIgnoreCase);
//sqlParameter = sqlParameter.Replace("delay ", "", StringComparison.OrdinalIgnoreCase);
//sqlParameter = sqlParameter.Replace("waitfor", "", StringComparison.OrdinalIgnoreCase);
//sqlParameter = sqlParameter.Replace("order", "", StringComparison.OrdinalIgnoreCase);
sqlParameter = sqlParameter.Replace("sysadmin", "", StringComparison.OrdinalIgnoreCase);
sqlParameter = sqlParameter.Replace("for", "", StringComparison.OrdinalIgnoreCase);
sqlParameter = sqlParameter.Replace("@echo", "", StringComparison.OrdinalIgnoreCase);
//sqlParameter = sqlParameter.Replace("procedure", "", StringComparison.OrdinalIgnoreCase);
//sqlParameter = sqlParameter.Replace("assembly", "", StringComparison.OrdinalIgnoreCase);
return sqlParameter;
以上是关于sqlserver sql注入过滤帮助类的主要内容,如果未能解决你的问题,请参考以下文章