SQL keyword filtering C # method

Source: Internet
Author: User

/// <summary>///SQL injection Filtering/// </summary>/// <param name= "InText" >the string to filter</param>/// <returns>returns True if the argument has an unsafe character</returns> Public  BOOLSqlfilter (stringInText) {    stringword="And|exec|insert|select|delete|update|chr|mid|master|or|truncate|char|declare|join"; if(intext==NULL)        return false; foreach(stringIinchWord. Split ('|'))    {        if(Intext.tolower (). IndexOf (i+" ") >-1)|| (Intext.tolower (). IndexOf (" "+i) >-1))        {            return true; }    }    return false;}

1.
<summary>
Filter unsafe strings
</summary>
<param name= "Str" ></param>
<returns></returns>
public static string Filtesqlstr (String Str)
{

STR = str.replace ("'", "" ");
STR = str.replace ("\" "," ");
STR = Str.replace ("&", "&amp");
STR = Str.replace ("<", "&lt");
STR = Str.replace (">", "&gt");

STR = str.replace ("delete", "");
STR = str.replace ("Update", "");
STR = str.replace ("Insert", "");

return Str;
}

2.

#region filtering the injection script in the SQL statement string
<summary>
Filtering the injection script in the SQL statement string
</summary>
<param name= "source" > Incoming string </param>
<returns> Filtered String </returns>
public static string Sqlfilter (string source)
{
Single quotes replaced with two single quotes
Source = source. Replace ("'", "" ");

Half-width number replaced with full-width seal to prevent multi-statement execution
Source = source. Replace (";", ";");

Half-width brackets are replaced with full-width brackets
Source = source. Replace ("(", "(");
Source = source. Replace (")", ")");

To replace with regular expressions, prevent letters from being case-sensitive////////////////////

Remove the command keyword that executes the stored procedure
Source = source. Replace ("Exec", "");
Source = source. Replace ("Execute", "");

Remove system stored procedures or extended stored procedure keywords
Source = source. Replace ("Xp_", "x P_");
Source = source. Replace ("sp_", "s P_");

Prevent 16-in-binary injection
Source = source. Replace ("0x", "0 x");

return source;
}
#endregion

3.

Filter SQL characters.
</summary>
<param name= "str" > string to filter SQL characters. </param>
<returns> string that has filtered out SQL characters. </returns>
public static string Replacesqlchar (String str)
{
if (str = = String.Empty)
return String.Empty; str = str. Replace ("'", "'");
str = str. Replace (";", ";");
str = str. Replace (",", ",");
str = str. Replace ("?", "?");
str = str. Replace ("<", "" ");
str = str. Replace (">", ">");
str = str. Replace ("(", "(");
str = str. Replace (")", ")");
str = str. Replace ("@", "@");
str = str. Replace ("=", "=");
str = str. Replace ("+", "+");
str = str. Replace ("*", "*");
str = str. Replace ("&", "&");
str = str. Replace ("#", "#");
str = str. Replace ("%", "%");
str = str. Replace ("$", "¥");

return str;
}
4.


<summary>
Filter Marks
</summary>
<param name= "nohtml" > includes HTML, scripts, database keywords, special characters of source code </param>
<returns> has removed the tagged text </returns>
public string nohtml (string htmlstring)
{
if (htmlstring = = null)
{
Return "";
}
Else
{
Delete Script
htmlstring = Regex.Replace (htmlstring, @ "<script[^>]*?>.*?</script>", "", regexoptions.ignorecase);
Delete HTML
htmlstring = Regex.Replace (htmlstring, @ "< (. [ ^>]*) > "," ", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, @ "([\ r \ n]) [\s]+", "", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, @ "-and", "", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, @ "<!--. *", "", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, @ "& (quot| #34);", "\" ", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, @ "& (amp| #38);", "&", Regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, @ "& (lt| #60);", "<", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, @ "& (gt| #62);", ">", Regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, @ "& (nbsp| #160);", "", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, @ "& (iexcl| #161);", "\xa1", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, @ "& (cent| #162);", "\xa2", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, @ "& (pound| #163);", "\xa3", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, @ "& (copy| #169);", "\xa9", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, @ "(\d+);", "", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, "xp_cmdshell", "" ", regexoptions.ignorecase);

Delete a database-related word
htmlstring = Regex.Replace (htmlstring, "select", "" ", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, "Insert", "" ", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, "Delete from", "", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, "Count" "," ", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, "drop table", "", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, "truncate", "" ", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, "ASC", "" ", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, "mid", "" ", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, "char", "" ", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, "xp_cmdshell", "" ", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, "exec master", "", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, "net localgroup Administrators", "", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, "and", "", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, "net user", "" ", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, "or", "", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, "net", "" ", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, "*", "" ", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, "-", "" ", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, "delete", "" ", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, "Drop", "" ", regexoptions.ignorecase);
htmlstring = Regex.Replace (htmlstring, "script", "" ", regexoptions.ignorecase);

Special characters
htmlstring = Htmlstring.replace ("<", "");
htmlstring = Htmlstring.replace (">", "");
htmlstring = Htmlstring.replace ("*", "");
htmlstring = Htmlstring.replace ("-", "" ");
htmlstring = Htmlstring.replace ("?", "");
htmlstring = Htmlstring.replace ("'", "" ");
htmlstring = Htmlstring.replace (",", "");
htmlstring = Htmlstring.replace ("/", "" ");
htmlstring = Htmlstring.replace (";", "");
htmlstring = Htmlstring.replace ("*/", "");
htmlstring = Htmlstring.replace ("\ r \ n", "");
htmlstring = HttpContext.Current.Server.HtmlEncode (htmlstring). Trim ();

return htmlstring;
}
}

5.

Public static bool checkbadword (string str)
{
string pattern = @ " Select|insert|delete|from|count\ (|drop table|update|truncate|asc\ (|mid\ (|char\ (|xp_cmdshell|exec   Master|netlocalgroup administrators|net User|or|and ";
if  (Regex.IsMatch (str, pattern, regexoptions.ignorecase))
Return true;
return false;
}
Public static string filter (string str)
{
string[] pattern ={  " Select ", " Insert ", " delete ", " from ", " count\\ (", " drop table ", " Update ", " Truncate ", " asc\\ (", " mid\\ (", " char\\ (", " xp_cmdshell ", " exec   Master ",   "Netlocalgroup Administrators",  "NET user",  "or",  "and"  };
for  (int i = 0; i < pattern. Length; i++)
{
Str = str. Replace (Pattern[i]. ToString (),  "");
}
Return str;
}

SQL keyword filtering C # method

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.