过滤sql敏感字符

static class SensitiveDataUtil { private static string ChangeSubStr(string s, string oldstr, string newstr) { if (s == null || s == "") return ""; string s1 = s.ToLower(); int i = s1.IndexOf(oldstr); while (i != -1) { string l = s.Substring(0, i); string r = s.Substring(i + oldstr.Length); s = l + newstr + r; s1 = s.ToLower(); i = s1.IndexOf(oldstr); } return s; } public static void CheckForSQLs(HttpRequest Request) { string[] sql = new string[] { "/*", "*/", "--", "‘", "declare", "select", "into", "insert", "update", "delete", "drop", "create", "exec", "master" }; string[] sqlc = new string[] { "/ *", "* /", "- -", "＇", "ｄｅｃｌａｒｅ", "ｓｅｌｅｃｔ", "ｉｎｔｏ", "ｉｎｓｅｒｔ", "ｕｐｄａｔｅ", "ｄｅｌｅｔｅ", "ｄｒｏｐ", "ｃｒｅａｔｅ", "ｅｘｅｃ", "ｍａｓｔｅｒ" }; //Form if (Request.Form.Count > 0) { Type type = typeof(System.Collections.Specialized.NameObjectCollectionBase);// Request.Form.GetType(); PropertyInfo pi = type.GetProperty("IsReadOnly", BindingFlags.Instance | BindingFlags.NonPublic); pi.SetValue(Request.Form, false, null); for (int i = 0; i < Request.Form.Count; i++) { string s = Request.Form[i]; for (int j = 0; j < sql.Length; j++) s = ChangeSubStr(s, sql[j], sqlc[j]); Request.Form.Set(Request.Form.GetKey(i), s); } pi.SetValue(Request.Form, true, null); } //QueryString if (Request.QueryString.Count > 0) { Type type = typeof(System.Collections.Specialized.NameObjectCollectionBase);// Request.Form.GetType(); PropertyInfo pi = type.GetProperty("IsReadOnly", BindingFlags.Instance | BindingFlags.NonPublic); pi.SetValue(Request.QueryString, false, null); for (int i = 0; i < Request.QueryString.Count; i++) { string s = Request.QueryString[i]; for (int j = 0; j < sql.Length; j++) s = ChangeSubStr(s, sql[j], sqlc[j]); Request.QueryString.Set(Request.QueryString.GetKey(i), s); } pi.SetValue(Request.QueryString, true, null); } }

 

过滤sql敏感字符

标签：