参考链接:
http://www.lanhusoft.com/Article/132.html
在core下,多少有些改动,其中js部分被注释掉了,如下:
public static string FilterSql(string s)
{
if (string.IsNullOrEmpty(s)) return string.Empty;
s = s.Trim().ToLower();
// s = ClearScript(s);
s = s.Replace("=", "");
s = s.Replace("'", "");
s = s.Replace(";", "");
s = s.Replace(" or ", "");
s = s.Replace("select", "");
s = s.Replace("update", "");
s = s.Replace("insert", "");
s = s.Replace("delete", "");
s = s.Replace("declare", "");
s = s.Replace("exec", "");
s = s.Replace("drop", "");
s = s.Replace("create", "");
s = s.Replace("%", "");
s = s.Replace("--", "");
return s;
}
全局过滤:
//全局处理sql访问action时的参数,防止注入漏洞攻击
var actionParameters = context.ActionArguments;
foreach (var p in actionParameters)
{
if (p.GetType() == typeof(string))
{
actionParameters[p.Key] = SqlParameterCheckHelper.FilterSql(p.Value.ToString());
}
}