一般的都是用参数的方式传值。
但难免有些拼SQL的情况出现。
一般都过滤关键字哪些关键字呢?
------解决方案--------------------------------------------------------
过滤空格 豆号 括号 就可以了.
------解决方案--------------------------------------------------------
可以替换了关键字
- C# code
static public string SafeSql(this string str) { str = str.IsNullEmpty() ? "" : str.Replace("'", "''"); str = new Regex("exec", RegexOptions.IgnoreCase).Replace(str, "exec"); str = new Regex("xp_cmdshell", RegexOptions.IgnoreCase).Replace(str, "xp_cmdshell"); str = new Regex("select", RegexOptions.IgnoreCase).Replace(str, "select"); str = new Regex("insert", RegexOptions.IgnoreCase).Replace(str, "insert"); str = new Regex("update", RegexOptions.IgnoreCase).Replace(str, "update"); str = new Regex("delete", RegexOptions.IgnoreCase).Replace(str, "delete"); str = new Regex("drop", RegexOptions.IgnoreCase).Replace(str, "drop"); str = new Regex("create", RegexOptions.IgnoreCase).Replace(str, "create"); str = new Regex("rename", RegexOptions.IgnoreCase).Replace(str, "rename"); str = new Regex("truncate", RegexOptions.IgnoreCase).Replace(str, "truncate"); str = new Regex("alter", RegexOptions.IgnoreCase).Replace(str, "alter"); str = new Regex("exists", RegexOptions.IgnoreCase).Replace(str, "exists"); str = new Regex("master.", RegexOptions.IgnoreCase).Replace(str, "master."); str = new Regex("restore", RegexOptions.IgnoreCase).Replace(str, "restore"); return str; }