62,074
社区成员
发帖
与我相关
我的任务
分享
inputString=inputString.Replace("'", "''");//单引号替换成两个单引号替换
inputString=inputString.Replace("&","&"); //过滤字符&
inputString=inputString.Replace("\"","""); //过滤字符\
inputString=inputString.Replace("<","<"); //过滤字符<
inputString=inputString.Replace(">",">"); //过滤字符>
inputString=inputString.Replace(" "," "); //过滤字符空格" "
inputString=inputString.Replace(" "," "); //过滤字符" "" "
inputString=inputString.Replace("\t"," ");//过滤字符\t
inputString=inputString.Replace("\r", "<br>");//过滤字符\r<br>
javascript:alert(document.cookie="ID="+escape("2 and 1=1"))
protected void Page_Load(object sender, EventArgs e)
{
try
{
int ID = Convert.ToInt32(Request["ID"]); //ID 取整数的话,就Convert.ToInt32
//string ID = Request["ID"]; //能用整型就不要转成字符串
//Response.Write(Server.UrlEncode(ID));
if (Request.Cookies["ID"] != null)
{
ID = Convert.ToInt32(Request.Cookies["ID"].Value);
Response.Write("Cookie Value:" + ID + "<br />");
}
else
{
Response.Write("当前浏览器进程的无会话Cookie!<br />");
}
if (ID == 2)
{
Response.Write("参数为:");
Response.Write(ID);
}
else
{
Response.Write("没有参数传过来");
}
}
catch(Exception ex)
{
Response.Write(ex.Message);
}
}
inputString=inputString.Replace("<","<"); //过滤字符<
inputString=inputString.Replace(">",">"); //过滤字符>
<asp:DataList ID="DataList1" runat="server" DataSourceID="SqlDataSource1">
<ItemTemplate>
不解析的HTML,原样输出:
<asp:Label ID="idLabel" runat="server" Text='<%# Server.HtmlEncode(Eval("含有HTML标签的字符串").ToString())%>'></asp:Label><br />
</ItemTemplate>
</asp:DataList>
select * from t where id=3 --语句1
select * from t where id=3;drop table t --语句2
select * from t where [name]='123' --语句3
select * from t where [name]='123';drop table t--' --语句4
insert into t([name]) values('12'');drop table t--') --语句5
inputString.Replace("'", "''");//单引号替换成两个单引号替换
inputString=inputString.Replace("&","&"); //过滤字符&
inputString=inputString.Replace("\"","""); //过滤字符\
inputString=inputString.Replace("<","<"); //过滤字符<
inputString=inputString.Replace(">",">"); //过滤字符>
inputString=inputString.Replace(" "," "); //过滤字符空格" "
inputString=inputString.Replace(" "," "); //过滤字符" "" "
inputString=inputString.Replace("\t"," ");//过滤字符\t
inputString=inputString.Replace("\r", "<br>");//过滤字符\r<br>