防范qurestring方式的sql注入的一个方法

public static string safeRequest(string str)
    {
        
string outStr = null;
        
object querStr = HttpContext.Current.Request.QueryString[str];
        
if (querStr != null)
        {
            outStr 
= InputText(querStr.ToString(), 30);
            
return outStr;
        }
        
else
            
return outStr;
    }
    
public static string InputText(string inputString, int maxLength)
    {
        System.Text.StringBuilder retVal 
= new System.Text.StringBuilder();
        
// check incoming parameters for null or blank string
        if ((inputString != null&& (inputString != String.Empty))
        {
            inputString 
= inputString.Trim();
            
//op the string incase the client-side max length
            
//fields are bypassed to prevent buffer over-runs
            if (inputString.Length > maxLength)
                inputString 
= inputString.Substring(0, maxLength);
            
//convert some harmful symbols incase the regular
            
//expression validators are changed
            for (int i = 0; i < inputString.Length; i++)
            {
                
switch (inputString[i])
                {
                    
case '"':
                        retVal.Append(
"&quot;");
                        
break;
                    
case '<':
                        retVal.Append(
"&lt;");
                        
break;
                    
case '>':
                        retVal.Append(
"&gt;");
                        
break;
                    
default:
                        retVal.Append(inputString[i]);
                        
break;
                }
            }
            
// Replace single quotes with white space
            retVal.Replace("'"" ");
            retVal.Replace(
";"" ");
            retVal.Replace(
"insert""");
            retVal.Replace(
"select""");
            retVal.Replace(
"delete""");
            retVal.Replace(
"update""");
            retVal.Replace(
"drop""");
            retVal.Replace(
"create""");
            retVal.Replace(
"alter""");
            retVal.Replace(
" ""20%");
            retVal.Replace(
"xp_cmdshell""");
            retVal.Replace(
"xp_regaddmultistring""");
            retVal.Replace(
"xp_regdeletekey""");
            retVal.Replace(
"xp_regdeletevalue""");
            retVal.Replace(
"xp_regenumkeys""");
            retVal.Replace(
"xp_regenumvalues""");
            retVal.Replace(
"xp_regread""");
            retVal.Replace(
"xp_regremovemultistring""");
            retVal.Replace(
"xp_regwrite""");
            retVal.Replace(
"sp_OACreate""");
            retVal.Replace(
"sp_OADestroy""");
            retVal.Replace(
"sp_OAMethod""");
            retVal.Replace(
"sp_OAGetProperty""");
            retVal.Replace(
"sp_OASetProperty""");
            retVal.Replace(
"sp_OAGetErrorInfo""");
            retVal.Replace(
"sp_OAStop""");
        }
        
return retVal.ToString();
    }
posted @ 2008-05-07 14:31  zhangsir  阅读(313)  评论(1编辑  收藏  举报