请高手指点我写的防注入代码,看会出现哪些问题,哪些还可以改进?
请高手指点我写的防注入代码,看会出现哪些问题,哪些还可以改进?虚心学习中……
另外:我想把这段代码写成类的一个方法,或写成公用函数,但一执行到转向(Response.Redirect("/erro.htm");)时就出错,提示的错误不一样,总之就是不能在这两种方式中转向,所以我现在在每个要用的页面都要加这段代码,真累,各位有什么更好的方法啊??
private string CheckInputStr(string str)
{
string jscrip_str=str;
string delimStr = " ";
char [] aaaa = delimStr.ToCharArray();
string[] strArray1 = jscrip_str.Split(aaaa[0]);
string[] strArray2 = {"and","or","set","exec","execute","declare","select","insert","delete","drop","update","truncate","asc(","mid(","count(","char(","xp_cmdshell","net localgroup","backup database","master","sqloledb","db_name","openrowset","opendatasource","triger","jobs","sp_addlogin","sp_addsrvrolemember"};
jscrip_str=jscrip_str.Replace("'","‘").Replace(";",";").Replace(",",",").Replace("--","--").Replace("+","+").Replace("&&","").Replace("||","||").Replace("=","=").Replace("!","!").Replace("<","〈").Replace(">","〉");
for (int i=0;i<strArray1.Length;i++)
{
for (int n=0;n<strArray2.Length;n++)
{
if (strArray1[i]==strArray2[n])
{
Response.Redirect("/erro.htm");
}
}
}
return jscrip_str;
}