如何过滤掉一些漏洞,导致字符的查询字符串?

我需要过滤掉字符,如/ - ^%{} []; $ = *`#|&@“\”<>()+ \我需要用空字符串替换这一点,如果它的存在在查询中。字符串。请帮助我。我在ASP页中使用此。

--------------解决方案-------------

最好的办法是使用的线沿线的一个函数的东西:

Public Function MakeSQLSafe(ByVal sql As String) As String
'first i'd avoid putting quote chars in as they might be valid? just double them up.
Dim strIllegalChars As String = "/?-^%{}[];$=*`#|&@\<>()+,\"
'replace single quotes with double so they don't cause escape character
If sql.Contains("'") Then
sql = sql.Replace("'", "''")
End If
'need to double up double quotes from what I remember to get them through
If sql.Contains("""") Then
sql = sql.Replace("""", """""")
End If
'remove illegal chars
For Each c As Char In strIllegalChars
If sql.Contains(c.ToString) Then
sql = sql.Replace(c.ToString, "")
End If
Next

Return sql
End Function

这并没有经过测试,它也许可以更有效率,但它应该让你去。 无论你在应用程序执行SQL,只是包装中的SQL此函数执行前清洁字符串:

的ExecuteSQL(MakeSQLSafe(STRSQL))

希望帮助

与任何字符串的禁制,你好得多了白名单指出了哪些字符是允许的,而不是属于字符的黑名单工作。

这个问题有关筛选HTML标签产生了一个接受的答案建议使用正则表达式来匹配白名单:http://stackoverflow.com/questions/307013/how-do-i-filter-all-html-tags-除了-A-一定的白名单 - 我建议你做一些非常相似。

我使用的URL路径,我发现这个效果很好,您的网址的每一部分传递给这个函数。 它比你更需要,因为它转换成字符,如“与”为“和”,但你可以修改它来满足:

public static string CleanUrl(this string urlpart) {

// convert accented characters to regular ones
string cleaned = urlpart.Trim().anglicized();

// do some pretty conversions
cleaned = Regex.Replace(cleaned, "&nbsp;", "-");
cleaned = Regex.Replace(cleaned, "#", "no.");
cleaned = Regex.Replace(cleaned, "&", "and");
cleaned = Regex.Replace(cleaned, "%", "percent");
cleaned = Regex.Replace(cleaned, "@", "at");

// strip all illegal characters like punctuation
cleaned = Regex.Replace(cleaned, "[^A-Za-z0-9- ]", "");

// convert spaces to dashes
cleaned = Regex.Replace(cleaned, " +", "-");

// If we're left with nothing after everything is stripped and cleaned
if (cleaned.Length == 0)
cleaned = "no-description";

// return lowercased string
return cleaned.ToLower();
}

// Convert accented characters to standardized ones
private static string anglicized(this string urlpart) {
string beforeConversion = "àÀâÂäÄáÁéÉèÈêÊëËìÌîÎïÏòÒôÔöÖùÙûÛüÜçÇ'ñ";
string afterConversion = "aAaAaAaAeEeEeEeEiIiIiIoOoOoOuUuUuUcC'n";

string cleaned = urlpart;

for (int i = 0; i < beforeConversion.Length; i++) {
cleaned = Regex.Replace(urlpart, afterConversion[i].ToString(), afterConversion[i].ToString());
}
return cleaned;

// Spanish : ÁÉÍÑÓÚÜ¡¿áéíñóúü"

}

分类:vb.net 时间:2015-03-15 人气:1
分享到:

相关文章

Copyright (C) 55228885.com, All Rights Reserved.

55228885 版权所有 京ICP备15002868号

processed in 1.503 (s). 10 q(s)