these days, it seems that SQL injection attacks are in full swing in csdn... I will try again .. as shown in the following figure, the checkparams function can receive arbitrary parameters. If a parameter contains a string, the function checks the string. For example, there is a set of parameters (such as array, which in short implements icollection ), checks the string elements in the set. you can specify the characters to be filtered based on the actual situation. In my example, the characters are tentatively set to = and '. In fact, I personally think that these two characters are filtered out, it seems that it is difficult to inject SQL statements. Of course, I am a newbie to SQL statements. Thank you. my mailbox (MSN): Appledotnet@hotmail.com
bool checkparams (Params object [] ARGs)
{string [] lawlesses = {"= ","'"};
If (lawlesses = NULL | lawlesses. length <= 0) return true; // construct a regular expression.
for example, if lawlesses is a pair of signs = and ', the regular expression is. * [=} ']. * (for more information about regular expressions, see msdn.) In addition, because I want to create a common and easy-to-Modify function, I have added one more step from the character array to the regular expression. In actual use, you can also directly write a regular expression.
string str_regex = ". * [";
for (INT I = 0; I str_regex + = lawlesses [I] + "|";
str_regex + = lawlesses [lawlesses. length-1] + "]. * ";
// foreach (Object ARG in ARGs)
{If (Arg is string) // if it is a string, directly check
{If (RegEx. matches (Arg. tostring (), str_regex ). count> 0)
return false;}
else if (Arg is icollection) // if it is a set, check whether the elements in the set are strings and strings, check {foreach (Object OBJ in (icollection) Arg)
{If (obj is string)
{If (RegEx. matches (obj. tostring (), str_regex ). count> 0)
return false;
}< BR >}< br> return true ;}