Vb.net 如何过滤掉导致查询字符串中字符的一些漏洞?
我需要过滤掉像/?-^%{}[];$=*`#|&@'这样的字符\“()+,\。如果查询字符串中有空字符串,我需要将其替换为空字符串。请帮助我。我正在ASP页面中使用它。最好使用一个函数,如下所示:Vb.net 如何过滤掉导致查询字符串中字符的一些漏洞?,vb.net,security,query-string,Vb.net,Security,Query String,我需要过滤掉像/?-^%{}[];$=*`#|&@'这样的字符\“()+,\。如果查询字符串中有空字符串,我需要将其替换为空字符串。请帮助我。我正在ASP页面中使用它。最好使用一个函数,如下所示: Public Function MakeSQLSafe(ByVal sql As String) As String 'first i'd avoid putting quote chars in as they might be valid? just double them up.
Public Function MakeSQLSafe(ByVal sql As String) As String
'first i'd avoid putting quote chars in as they might be valid? just double them up.
Dim strIllegalChars As String = "/?-^%{}[];$=*`#|&@\<>()+,\"
'replace single quotes with double so they don't cause escape character
If sql.Contains("'") Then
sql = sql.Replace("'", "''")
End If
'need to double up double quotes from what I remember to get them through
If sql.Contains("""") Then
sql = sql.Replace("""", """""")
End If
'remove illegal chars
For Each c As Char In strIllegalChars
If sql.Contains(c.ToString) Then
sql = sql.Replace(c.ToString, "")
End If
Next
Return sql
End Function
公共函数将SQLSAFE(ByVal sql作为字符串)作为字符串
首先,我要避免把引号字符放进去,因为它们可能是有效的,只要把它们加倍就行了。
Dim strIllegalChars As String=“/?-^%{}[]$=*`#|&@\()+,\"
'将单引号替换为双引号,这样它们就不会导致转义字符
如果sql.Contains(“”),则
sql=sql.Replace(“”,“”)
如果结束
“需要从我记得的内容中重复引用双引号才能让它们通过
如果sql.Contains(“”),则
sql=sql。替换(“”,“”)
如果结束
"扫除黑药",
对于每个c作为strIllegalChars中的字符
如果sql.Contains(c.ToString)则
sql=sql.Replace(c.ToString,“”)
如果结束
下一个
返回sql
端函数
这还没有经过测试,可能会提高效率,但应该可以让您继续。无论您在应用程序中执行sql的何处,只需在此函数中包装sql,以在执行之前清除字符串:
ExecuteSQL(MakeSQLSafe(strSQL))
希望这有助于与任何字符串清理一样,您最好使用指定允许哪些字符的白名单,而不是不允许的字符黑名单
这个关于筛选HTML标记的问题得到了一个公认的答案,建议使用正则表达式来匹配白名单:-我建议您做一些非常类似的事情。我正在使用URL路由,我发现这很有效,请将URL的每个部分传递给此函数。这超出了您的需要,因为它可以转换字符,如“&“到”和“,但您可以修改它以适应:
public static string CleanUrl(this string urlpart) {
// convert accented characters to regular ones
string cleaned = urlpart.Trim().anglicized();
// do some pretty conversions
cleaned = Regex.Replace(cleaned, " ", "-");
cleaned = Regex.Replace(cleaned, "#", "no.");
cleaned = Regex.Replace(cleaned, "&", "and");
cleaned = Regex.Replace(cleaned, "%", "percent");
cleaned = Regex.Replace(cleaned, "@", "at");
// strip all illegal characters like punctuation
cleaned = Regex.Replace(cleaned, "[^A-Za-z0-9- ]", "");
// convert spaces to dashes
cleaned = Regex.Replace(cleaned, " +", "-");
// If we're left with nothing after everything is stripped and cleaned
if (cleaned.Length == 0)
cleaned = "no-description";
// return lowercased string
return cleaned.ToLower();
}
// Convert accented characters to standardized ones
private static string anglicized(this string urlpart) {
string beforeConversion = "àÀâÂäÄáÁéÉèÈêÊëËìÌîÎïÏòÒôÔöÖùÙûÛüÜçÇ’ñ";
string afterConversion = "aAaAaAaAeEeEeEeEiIiIiIoOoOoOuUuUuUcC'n";
string cleaned = urlpart;
for (int i = 0; i < beforeConversion.Length; i++) {
cleaned = Regex.Replace(urlpart, afterConversion[i].ToString(), afterConversion[i].ToString());
}
return cleaned;
// Spanish : ÁÉÍÑÓÚÜ¡¿áéíñóúü"
}
publicstaticstringcleanurl(这个字符串的urlpart){
//将重音字符转换为常规字符
string cleaned=urlpart.Trim().anglicized();
//做一些漂亮的转换
已清理=正则表达式替换(已清理,“,”-”;
已清理=正则表达式替换(已清理,“#”和“编号”);
清洁=正则表达式替换(清洁的“&”和“);
清洁=正则表达式替换(清洁,“%”,百分比);
已清理=正则表达式替换(已清理,“@”,“at”);
//去除所有非法字符,如标点符号
已清洁=正则表达式替换(已清洁,“^A-Za-z0-9-]”,“”);
//将空格转换为破折号
已清理=正则表达式。替换(已清理,“+”,“-”;
//如果我们在所有的东西都被剥光和清理后什么都没有留下
如果(0.Length==0)
“无描述”;
//返回小写字符串
返回已清洁的。ToLower();
}
//将重音字符转换为标准字符
专用静态字符串已英语化(此字符串为urlpart){
转换前字符串;
转换后的字符串=“aaaaaaeeeeeeiiiiiooouuucc'n”;
字符串=urlpart;
for(int i=0;i
如Martin在下面所问-url或sql查询字符串?我已经发布了假设sql,所以如果您是指另一个,我深表歉意,但该函数将适用于传递的任何字符串。