Joh*_*vus -1 c# regex sql sql-injection
我正在编写此代码以保护我的服务器免受SQL注入.目标是在匹配的任何内容之前插入[BloCKiT].请不要按空格分割单词,因为它不适用于这种情况.例如"s = 290'; DECLARE%".这会导致错误.
请在代码中查看评论,谢谢.
下面的代码是用c#编写的.
string MyOutPut = "";
string PatternAnywhereFromWord = "declare|exec|insert|update|delete|varchar|cast";//search any within the word CASE-INSENTIVE. This is the regular expression
string AttachmeMe = "[BloCKiT]";//Insert this string into the statement
//find patterns case-insensitive anywhere within the statement and attach the AttachmeMe variable in front of the matched position
string InputStatment = "delete s=290';DECLARE%20@S%20NVARCHAR(4000) ;insert into update all xdelete * from database exec";
//some logic here. I plan to write some loop but i think i would perform pretty slow
MyOutPut = "YOUR LOGIC HERE";
//The result should be [BloCKiT]delete s=290';[BloCKiT]DECLARE%20@S%20NVARCHAR(4000) ;[BloCKiT]insert into [BloCKiT]update all x[BloCKiT]delete * from database [BloCKiT]exec
你是认真的吗?因为如果你是,不要这样做.
你觉得你总能超越Little Bobby Tables吗?尤其是这种天真的解决方案.
drop database master; --oops
而是使用SQL参数使任何用户输入安全.
| 归档时间: |
|
| 查看次数: |
250 次 |
| 最近记录: |