/// <summary> /// 移除字符串中的可能引起危险Sql字符 /// </summary> /// <param name=str></param> /// <returns></returns> public static string RemoveSqlUnsafeString(string str) { string p = @[-|;|,|/|(|)|[|]|}|{|%|@|*|!|']; return Regex.Replace(str,p,); } /// <summary> /// 检测是否有Sql危险字符 /// </summary> /// <param name=str>要判断字符串</param> /// <returns>判断结果</returns> public static bool IsSafeSqlString(string str) { return !Regex.IsMatch(str,@[-|;|,|/|(|)|[|]|}|{|%|@|*|!|']); } /// <summary> /// 替换sql语句中的有问题符号 /// </summary> public static string ChkSQL(string str) { string str2; if (str == null) { str2 = ; } else { str = str.Replace(',''); str2 = str; } return str2; } #region 过滤攻击性字符 /// <summary> /// 过滤攻击性字符 /// </summary> /// <param name=str></param> /// <returns></returns> public static string ReplaceBadChar(string str) { if (!string.IsNullOrEmpty(str)) { str = Regex.Replace(str,@(?s)/*.*?*/,,RegexOptions.IgnoreCase); //删除注释:/* */ str = Regex.Replace(str,@(?s)<script.*?>.*?</script>,RegexOptions.IgnoreCase); //删除脚本 str = Regex.Replace(str,@(?s)<style.*?>.*?</style>,RegexOptions.IgnoreCase); //需要把用户自己添加的样式都删除 //<link href=/scripts/PopBox/stylesheets/Styles.css rel=stylesheet type=text/css /> str = Regex.Replace(str,@(?s)<link[^>]+href+([^>]+?)>,RegexOptions.IgnoreCase); //替换一些比较特殊的字符 // str = str.Replace( , ); //将 替换为一个空格 str = str.Replace(—,-);//将—替换为- str = str.Replace(”,”); str = str.Replace(“,“); str = str.Replace(≤,<=); str = str.Replace(≠,!=); str = str.Replace(≥,>=); //<img src= onerror= /> <([^>|^<]+?on)([w]+[^=]+?)=([^>]+?)> str = Regex.Replace(str,@<([^>|^<]+?on)([a-z|A-Z]+[^=]+?)=([^>]+?)>, <$1_$2=$3>,RegexOptions.IgnoreCase);//过滤可能的XSS攻击,脚本事件 //javascript: str = str.Replace(javascript:,javascript:);//过滤<img src=javascript:alert(/xss/) /> str = str.Replace(vbscrript:,vbscript:);//过滤vbscript str = str.Replace(script,script);//过滤所有可能的脚本 liehuo.net //style=XSS:expression(alert(/xss/)) str = str.Replace(expression,Expression);//过滤所有可能的脚本 //str=Regex.Replace(str,@(style(.*))=(.*)(expression),$1=$3, RegexOptions.IgnoreCase); //过滤样式中,可能带有的脚本事件 //<iframe src= str = Regex.Replace(str,(?s)<iframe.*?>.*?</iframe>, RegexOptions.IgnoreCase);//过滤Ifrmae;网 //防止转码XSS攻击:<img src=javascript:a lert('XSS');> str = str.Replace(#,#);//过滤# // str = str.Replace(&,&);//过滤& str = str.Replace(%,%);//过滤% //<img STYLE=background-image: 75726c286a61766173 63726970743a616c6572742827585353272929> str = str.Replace(,/);//过滤 防止连接16进制的攻击 if (str.IndexOf(<script) >= 0) str = str.Replace(<,<--script); if (str.IndexOf(') > 0) str = str.Replace(',’); //str = str.Replace(<,<); //str = str.Replace(>,>); } return str; } #endregion |