public static Class Sqldefenderhelper
{
public static string Sqlfilter (String inText)
{
String word = "and|exec|insert|select|delete|update|chr|mid|master|or|truncate|char|declare|join|--|on|=|" | +";
if (InText = = null)
return inText;
Prevent \**\ from replacing spaces
if (intext.contains ("\ \") | | | intext.contains ("/"))
{
Initinfo.logoperation._operationinfolog ("", "Sqldefenderhelper.sqlfilter", String.) Format ("statement {0} is at risk, no execution!") ", InText)," ");
throw new Exception ("SQL statement has a risk, prohibit execution!") ");
}
if (intext.count (a = A.equals (')))% 2 = 0)//single quote is odd is considered risky
{
Initinfo.logoperation._operationinfolog ("", "Sqldefenderhelper.sqlfilter", String.) Format ("statement {0} is at risk, no execution!") ", InText)," ");
throw new Exception ("SQL statement has a risk, prohibit execution!") ");
}
foreach (String i in Word. Split (' | '))
{
if (Intext.tolower (). IndexOf (i + "") >-1) | | (Intext.tolower (). IndexOf ("" + i) >-1) | | Prevent spaces
(i!= "'" &&intext.tolower (). IndexOf (i + "(") >-1) | | (I! = "'" & Intext.tolower (). IndexOf (")" + i) >-1) | | prevent parentheses from replacing spaces
(Intext.tolower (). IndexOf (i + "\ n") >-1) | | (Intext.tolower (). IndexOf ("\ n" + i) >-1) | | Prevent carriage return instead of spaces
(Intext.tolower (). IndexOf (i + "T") >-1) | | (Intext.tolower (). IndexOf ("\ t" + i) >-1))//Prevent tab instead of spaces
{
Initinfo.logoperation._operationinfolog ("", "Sqldefenderhelper.sqlfilter", String.) Format ("statement {0} is at risk, no execution!") ", InText)," ");
throw new System.Exception ("SQL statement has a risk, prohibit execution!") ");
}
}
Regex regex = new Regex (@ "[^0-9a-za-z, ' \ (\) \*\.\-]+");
if (regex. IsMatch (InText))
{
Initinfo.logoperation._operationinfolog ("", "Sqldefenderhelper.sqlfilter", String.) Format ("statement {0} is at risk, no execution!") ", InText)," ");
throw new System.Exception ("SQL statement has a risk, prohibit execution!") ");
}
return inText;
}
}
Prevent SQL injection