A C # SQL database string manipulation function that enables filtering of SQL strings, detecting SQL for dangerous characters, correcting escape characters in SQL statements, and ensuring that SQL is not injected:
SQL string Filter function:
01public static bool Processsqlstr (string Str)
229
BOOL ReturnValue = true;
Try
05 {
if (Str.trim ()!= "")
07 {
Sqlstr = "exec|insert+|select+|delete|update|count|chr|mid|master+
|truncate|char|declare|drop+|drop+table|creat+
|create|*|iframe|script| ";
Sqlstr = "Exec+|insert|delete+|update+|count (|count+|chr+|+mid
(|+mid+|+master+|truncate+|char+|
+char (|declare+|drop+table|creat+table ";
string[] Anysqlstr = sqlstr.split (' | ');
One foreach (string ss in Anysqlstr)
12 {
Str.tolower (). INDEXOF (ss) >= 0)
14 {
ReturnValue = false;
break;
17}
18}
19}
20}
Catch
22 {
ReturnValue = false;
24}
ReturnValue return;
26}
The following is the detection of an illegal dangerous character in an SQL statement:
View sourceprint?01///
02///Detect SQL Risk characters
03///
04///to judge a string
05///Judgment Results
06public static bool Issafesqlstring (String str)
279
Return! Regex.IsMatch (str, @ "[-|;|,|/| (|)] | [|]|}| {|%| @|*|!|']");
09}
10///
11///to correct escape characters in SQL statements
12///
13public static string Mashsql (String str)
14{
String str2;
if (str = null)
17 {
STR2 = "";
19}
Else
21 {
str = str. Replace ("'", "" ");
str2 = str;
24}
STR2 return;
}