/// <summary> /// 移除字符串中的可能引起危险sql字符 /// </summary> /// <param name="str"></param> /// <returns></returns> public static string RemovesqlUnsafeString(string str) { string p = @"[-|;|,|/|(|)|[|]|}|{|%|@|*|!|']"; return Regex.Replace(str,p,""); } /// <summary> /// 检测是否有sql危险字符 /// </summary> /// <param name="str">要判断字符串</param> /// <returns>判断结果</returns> public static bool IsSafesqlString(string str) { return !Regex.IsMatch(str,@"[-|;|,|/|(|)|[|]|}|{|%|@|*|!|']"); } /// <summary> /// 替换sql语句中的有问题符号 /// </summary> public static string Chksql(string str) { string str2; if (str == null) { str2 = ""; } else { str = str.Replace("'","''"); str2 = str; } return str2; } #region 过滤攻击性字符 /// <summary> /// 过滤攻击性字符 /// </summary> /// <param name="str"></param> /// <returns></returns> public static string ReplaceBadChar(string str) { if (!string.IsNullOrEmpty(str)) { str = Regex.Replace(str,@"(?s)/*.*?*/","",RegexOptions.IgnoreCase); //删除注释:/* */ str = Regex.Replace(str,@"(?s)<script.*?>.*?</script>",RegexOptions.IgnoreCase); //删除脚本 str = Regex.Replace(str,@"(?s)<style.*?>.*?</style>",RegexOptions.IgnoreCase); //需要把用户自己添加的样式都删除 //<link href="/scripts/PopBox/stylesheets/Styles.css" rel="stylesheet" type="text/css" /> str = Regex.Replace(str,@"(?s)<link[^>]+href+([^>]+?)>",RegexOptions.IgnoreCase); //替换一些比较特殊的字符 // str = str.Replace(" "," "); //将 替换为一个空格 str = str.Replace("—","-");//将—替换为- str = str.Replace("”","”"); str = str.Replace("“","“"); str = str.Replace("≤","<="); str = str.Replace("≠","!="); str = str.Replace("≥",">="); //<img src="" onerror="" /> <([^>|^<]+?on)([w]+[^=]+?)=([^>]+?)> str = Regex.Replace(str,@"<([^>|^<]+?on)([a-z|A-Z]+[^=]+?)=([^>]+?)>", "<$1_$2=$3>",RegexOptions.IgnoreCase);//过滤可能的XSS攻击,脚本事件 //javascript: str = str.Replace("javascript:","javascript:");//过滤<img src="javascript:alert(/xss/)" /> str = str.Replace("vbscrript:","vbscript:");//过滤vbscript str = str.Replace("script","script");//过滤所有可能的脚本 liehuo.net //style="XSS:expression(alert(/xss/))" str = str.Replace("expression","Expression");//过滤所有可能的脚本 //str=Regex.Replace(str,@"(style(.*))=(.*)(expression)","$1=$3", RegexOptions.IgnoreCase); //过滤样式中,可能带有的脚本事件 //<iframe src= str = Regex.Replace(str,"(?s)<iframe.*?>.*?</iframe>", RegexOptions.IgnoreCase);//过滤Ifrmae;网 //防止转码XSS攻击:<img src="javascript:a lert('XSS');"> str = str.Replace("#","#");//过滤# // str = str.Replace("&","&");//过滤& str = str.Replace("%","%");//过滤% //<img STYLE="background-image: 75726c286a61766173 63726970743a616c6572742827585353272929"> str = str.Replace("","/");//过滤 防止连接16进制的攻击 if (str.IndexOf("<script") >= 0) str = str.Replace("<","<--script"); if (str.IndexOf("'") > 0) str = str.Replace("'","’"); //str = str.Replace("<","<"); //str = str.Replace(">",">"); } return str; } #endregion @H_403_115@ |