???????????Σ??Sql??????У??????????????????????????????????ε????????????????????????????????????????Щ????Σ????????????sql?????????Sql???????????????????Winform????????Web??????????????????????Щ?к?????????????????????????????????????????????????????????ù???????????????Щ???????????
/// <summary>
/// ???????????????(???????
/// </summary>
/// <param name="inputData"></param>
public bool HasInjectionData(string inputData)
{
if (string.IsNullOrEmpty(inputData))
return false;
//???漲????????????
//???inputData????????????
if (Regex.IsMatch(inputData.ToLower()?? GetRegexString()))
{
return true;
}
else
{
return false;
}
}
/// <summary>
/// ??????????
/// </summary>
/// <returns></returns>
private static string GetRegexString()
{
//????SQL??????????
string[] strBadChar =
{
//"select\s"??
//"from\s"??
"insert\s"??
"delete\s"??
"update\s"??
"drop\s"??
"truncate\s"??
"exec\s"??
"count\("??
"declare\s"??
"asc\("??
"mid\("??
"char\("??
"net user"??
"xp_cmdshell"??
"/add\s"??
"exec master.dbo.xp_cmdshell"??
"net localgroup administrators"
};
//???????????
string str_Regex = ".*(";
for (int i = 0; i < strBadChar.Length - 1; i++)
{
str_Regex += strBadChar[i] + "|";
}
str_Regex += strBadChar[strBadChar.Length - 1] + ").*";
return str_Regex;
}
?????????????????б????Sql?????????????????????????????棬?????б??????????????????????????????????????????
/// <summary>
/// ???????????????????????????
/// </summary>
/// <param name="condition">?????????</param>
/// <param name="orderBy">??????????????Order By Name Desc???粻?????????????????</param>
/// <param name="paramList">?????б?</param>
/// <returns>???????????</returns>
public virtual List<T> Find(string condition?? string orderBy?? IDbDataParameter[] paramList)
{
if (HasInjectionData(condition))
{
LogTextHelper.Error(string.Format("????SQL???????????? {0}"?? condition));
throw new Exception("????SQL???????????");
}
...........................
}
?????????????Sql????????????棬??????????ò????????????и????????????????????????SQL???????
????Database db = CreateDatabase();
????DbCommand command = db.GetSqlStringCommand(sql);
????command.Parameters.AddRange(param);