/// <summary>///SQL injection Filtering/// </summary>/// <param name= "InText" >the string to filter</param>/// <returns>returns True if the argument has an unsafe character</returns> Public BOOLSqlfilter (stringInText) { stringword="And|exec|insert|select|delete|update|chr|mid|master|or|truncate|char|declare|join"; if(intext==NULL) return false; foreach(stringIinchWord. Split ('|')) { if(Intext.tolower (). IndexOf (i+" ") >-1)|| (Intext.tolower (). IndexOf (" "+i) >-1)) { return true; } } return false;}
1.
<summary>
Filter unsafe strings
</summary>
<param name= "Str" ></param>
<returns></returns>
public static string Filtesqlstr (String Str)
{
STR = str.replace ("'", "" ");
STR = str.replace ("\" "," ");
STR = Str.replace ("&", "&");
STR = Str.replace ("<", "<");
STR = Str.replace (">", ">");
STR = str.replace ("delete", "");
STR = str.replace ("Update", "");
STR = str.replace ("Insert", "");
return Str;
}
2.
#region filtering the injection script in the SQL statement string
<summary>
Filtering the injection script in the SQL statement string
</summary>
<param name= "source" > Incoming string </param>
<returns> Filtered String </returns>
public static string Sqlfilter (string source)
{
Single quotes replaced with two single quotes
Source = source. Replace ("'", "" ");
Half-width number replaced with full-width seal to prevent multi-statement execution
Source = source. Replace (";", ";");
Half-width brackets are replaced with full-width brackets
Source = source. Replace ("(", "(");
Source = source. Replace (")", ")");
To replace with regular expressions, prevent letters from being case-sensitive////////////////////
Remove the command keyword that executes the stored procedure
Source = source. Replace ("Exec", "");
Source = source. Replace ("Execute", "");
Remove system stored procedures or extended stored procedure keywords
Source = source. Replace ("Xp_", "x P_");
Source = source. Replace ("sp_", "s P_");
Prevent 16-in-binary injection
Source = source. Replace ("0x", "0 x");
return source;
}
#endregion
3.
Filter SQL characters.
</summary>
<param name= "str" > string to filter SQL characters. </param>
<returns> string that has filtered out SQL characters. </returns>
public static string Replacesqlchar (String str)
{
if (str = = String.Empty)
return String.Empty; str = str. Replace ("'", "'");
str = str. Replace (";", ";");
str = str. Replace (",", ",");
str = str. Replace ("?", "?");
str = str. Replace ("<", "" ");
str = str. Replace (">", ">");
str = str. Replace ("(", "(");
str = str. Replace (")", ")");
str = str. Replace ("@", "@");
str = str. Replace ("=", "=");
str = str. Replace ("+", "+");
str = str. Replace ("*", "*");
str = str. Replace ("&", "&");
str = str. Replace ("#", "#");
str = str. Replace ("%", "%");
str = str. Replace ("$", "¥");
return str;
}
4.
<summary>
Filter Marks
</summary>
<param name= "nohtml" > includes HTML, scripts, database keywords, special characters of source code </param>
<returns> has removed the tagged text </returns>
public string nohtml (string htmlstring)
{
if (htmlstring = = null)
{
Return "";
}
Else
{
Delete Script
htmlstring = Regex.Replace (htmlstring, @ "<script[^>]*?>.*?</script>", "", regexoptions.ignorecase);
Delete HTML
htmlstring = Regex.Replace (htmlstring, @ "< (. [ ^>]*) > "," ", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, @ "([\ r \ n]) [\s]+", "", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, @ "-and", "", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, @ "<!--. *", "", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, @ "& (quot| #34);", "\" ", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, @ "& (amp| #38);", "&", Regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, @ "& (lt| #60);", "<", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, @ "& (gt| #62);", ">", Regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, @ "& (nbsp| #160);", "", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, @ "& (iexcl| #161);", "\xa1", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, @ "& (cent| #162);", "\xa2", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, @ "& (pound| #163);", "\xa3", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, @ "& (copy| #169);", "\xa9", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, @ "(\d+);", "", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, "xp_cmdshell", "" ", regexoptions.ignorecase);
Delete a database-related word
htmlstring = Regex.Replace (htmlstring, "select", "" ", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, "Insert", "" ", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, "Delete from", "", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, "Count" "," ", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, "drop table", "", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, "truncate", "" ", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, "ASC", "" ", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, "mid", "" ", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, "char", "" ", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, "xp_cmdshell", "" ", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, "exec master", "", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, "net localgroup Administrators", "", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, "and", "", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, "net user", "" ", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, "or", "", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, "net", "" ", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, "*", "" ", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, "-", "" ", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, "delete", "" ", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, "Drop", "" ", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, "script", "" ", regexoptions.ignorecase);
Special characters
htmlstring = Htmlstring.replace ("<", "");
htmlstring = Htmlstring.replace (">", "");
htmlstring = Htmlstring.replace ("*", "");
htmlstring = Htmlstring.replace ("-", "" ");
htmlstring = Htmlstring.replace ("?", "");
htmlstring = Htmlstring.replace ("'", "" ");
htmlstring = Htmlstring.replace (",", "");
htmlstring = Htmlstring.replace ("/", "" ");
htmlstring = Htmlstring.replace (";", "");
htmlstring = Htmlstring.replace ("*/", "");
htmlstring = Htmlstring.replace ("\ r \ n", "");
htmlstring = HttpContext.Current.Server.HtmlEncode (htmlstring). Trim ();
return htmlstring;
}
}
5.
Public static bool checkbadword (string str)
{
string pattern = @ " Select|insert|delete|from|count\ (|drop table|update|truncate|asc\ (|mid\ (|char\ (|xp_cmdshell|exec Master|netlocalgroup administrators|net User|or|and ";
if (Regex.IsMatch (str, pattern, regexoptions.ignorecase))
Return true;
return false;
}
Public static string filter (string str)
{
string[] pattern ={ " Select ", " Insert ", " delete ", " from ", " count\\ (", " drop table ", " Update ", " Truncate ", " asc\\ (", " mid\\ (", " char\\ (", " xp_cmdshell ", " exec Master ", "Netlocalgroup Administrators", "NET user", "or", "and" };
for (int i = 0; i < pattern. Length; i++)
{
Str = str. Replace (Pattern[i]. ToString (), "");
}
Return str;
}
SQL keyword filtering C # method