本例主要完成查询时用户恶意输入sql语句破坏数据库的行为进行过滤和警告提示;
防SQL注入的类主要时根据输入的查询条件检查时候含有sql语句的成分并返回True或False,和一个属性message;
代码如下:
public static class SQLCheckUtil
{
private static string _Message;
public static string Message
{
get
{
return _Message;
}
set
{
if (_Message == value)
return;
_Message = value;
}
}
public static bool checkSQL(string checkStr)
{
bool ReturnValue = true;
string str = "";
if (checkStr != string.Empty)
{
str = checkStr.ToUpper();
}
else
{
Message = "空字符串!";
ReturnValue = false;
}
//检测特殊字符
string[] popularStr = { "IN", "*", "FROM", "WHERE", "=", "LIKE", "%", "AND", "OR", "'", ";", "INTO"};
//检测关键字
string[] keytStr = { "DELETE", "DROP", "TABLE", "CREATE", "SELECT", "UPDATE", "INSERT", "EXEC" };
List<string> mesList = new List<string>();
try
{
if (str != "")
{
//检测关键字
bool keyFlag = false;
foreach (string key in keytStr)
{
if (str.IndexOf(key) >= 0)
{
mesList.Add(key.ToLower());
keyFlag = true;
break;
}
}
if (keyFlag)
{
//检测特殊字符
foreach (string key in popularStr)
{
if (str.IndexOf(key) >= 0)
{
mesList.Add(key.ToLower());
keyFlag = true;
Message = "您输入的" + mesList[0] + "," + mesList[1] + "是保留字符,请更换!";
ReturnValue = false;
break;
}
}
}
int k = 0;
foreach (string key in keytStr)
{
if (str.IndexOf(key) >= 0)
{
mesList.Add(key.ToLower());
k++;
}
if (k > 1)
{
Message = "您输入的" + mesList[0] + "," + mesList[1] + "是保留字符,请更换!";
ReturnValue = false;
break;
}
}
k = 0;
foreach (string key in popularStr)
{
if (str.IndexOf(key) >= 0)
{
mesList.Add(key.ToLower());
k++;
}
if (k > 1)
{
Message = "您输入的" + mesList[0] +"," + mesList[1] + "是保留字符,请更换!";
ReturnValue = false;
break;
}
}
}
else
{
Message = "空字符串!";
ReturnValue = false;
}
}
catch
{
Message = "字符串异常,请更换!";
ReturnValue = false;
}
return ReturnValue;
}
}
当然此类还不是十分智能,还有许多不足,还望大家多提意见,亲看完要回复的!