You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

188 lines
10 KiB
C#

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

using System;
using System.IO;
using System.Linq;
using System.Security.Cryptography;
using System.Text;
using System.Text.RegularExpressions;
using System.Web;
// ReSharper disable once CheckNamespace
namespace DSWeb.SoftMng.Common
{
public class Common
{
/// <summary>
///SQL注入过滤
/// </summary>
/// <param name="source">要过滤的字符串</param>
/// <returns>如果参数存在不安全字符则返回true</returns>
public static bool SqlFilterExist(string source)
{
string pattern = @"(select|insert|delete|from|count\(|drop table|update|truncate|asc\(|mid\(|char\(|xp_cmdshell|netlocalgroup administrators|net user|or|and|join|dec|exec|chr|declare)([\s+.*]|$)";
if (Regex.IsMatch(source, pattern, RegexOptions.IgnoreCase))
return true;
return false;
}
/// <summary>
/// 过滤SQL字符。
/// </summary>
/// <param name="str">要过滤SQL字符的字符串。</param>
/// <returns>已过滤掉SQL字符的字符串。</returns>
public static string ReplaceSqlChar(string str)
{
if (str == String.Empty)
return String.Empty; str = str.Replace("'", "");
str = str.Replace(";", "");
str = str.Replace(",", ",");
str = str.Replace("?", "?");
str = str.Replace("<", "");
str = str.Replace(">", "");
str = str.Replace("(", "(");
str = str.Replace(")", ")");
str = str.Replace("@", "");
str = str.Replace("=", "");
str = str.Replace("+", "");
str = str.Replace("*", "");
str = str.Replace("&", "");
str = str.Replace("#", "");
str = str.Replace("%", "");
str = str.Replace("$", "¥");
return str;
}
/// <summary>
/// 过滤标记
/// </summary>
/// <param name="htmlstring">包括HTML脚本数据库关键字特殊字符的源码 </param>
/// <returns>已经去除标记后的文字</returns>
public static string SqlFilterNoHtml(string htmlstring)
{
//删除脚本
htmlstring = Regex.Replace(htmlstring, @"<script[^>]*?>.*?</script>", "", RegexOptions.IgnoreCase);
//删除HTML
htmlstring = Regex.Replace(htmlstring, @"<(.[^>]*)>", "", RegexOptions.IgnoreCase);
htmlstring = Regex.Replace(htmlstring, @"([\r\n])[\s]+", "", RegexOptions.IgnoreCase);
htmlstring = Regex.Replace(htmlstring, @"-->", "", RegexOptions.IgnoreCase);
htmlstring = Regex.Replace(htmlstring, @"<!--.*", "", RegexOptions.IgnoreCase);
htmlstring = Regex.Replace(htmlstring, @"&(quot|#34);", "\"", RegexOptions.IgnoreCase);
htmlstring = Regex.Replace(htmlstring, @"&(amp|#38);", "&", RegexOptions.IgnoreCase);
htmlstring = Regex.Replace(htmlstring, @"&(lt|#60);", "<", RegexOptions.IgnoreCase);
htmlstring = Regex.Replace(htmlstring, @"&(gt|#62);", ">", RegexOptions.IgnoreCase);
htmlstring = Regex.Replace(htmlstring, @"&(nbsp|#160);", " ", RegexOptions.IgnoreCase);
htmlstring = Regex.Replace(htmlstring, @"&(iexcl|#161);", "\xa1", RegexOptions.IgnoreCase);
htmlstring = Regex.Replace(htmlstring, @"&(cent|#162);", "\xa2", RegexOptions.IgnoreCase);
htmlstring = Regex.Replace(htmlstring, @"&(pound|#163);", "\xa3", RegexOptions.IgnoreCase);
htmlstring = Regex.Replace(htmlstring, @"&(copy|#169);", "\xa9", RegexOptions.IgnoreCase);
htmlstring = Regex.Replace(htmlstring, @"&#(\d+);", "", RegexOptions.IgnoreCase);
htmlstring = Regex.Replace(htmlstring, "xp_cmdshell", "", RegexOptions.IgnoreCase);
//删除与数据库相关的词
htmlstring = Regex.Replace(htmlstring, "select", "", RegexOptions.IgnoreCase);
htmlstring = Regex.Replace(htmlstring, "insert", "", RegexOptions.IgnoreCase);
htmlstring = Regex.Replace(htmlstring, "delete from", "", RegexOptions.IgnoreCase);
htmlstring = Regex.Replace(htmlstring, "count''", "", RegexOptions.IgnoreCase);
htmlstring = Regex.Replace(htmlstring, "drop table", "", RegexOptions.IgnoreCase);
htmlstring = Regex.Replace(htmlstring, "truncate", "", RegexOptions.IgnoreCase);
htmlstring = Regex.Replace(htmlstring, "asc", "", RegexOptions.IgnoreCase);
htmlstring = Regex.Replace(htmlstring, "mid", "", RegexOptions.IgnoreCase);
htmlstring = Regex.Replace(htmlstring, "char", "", RegexOptions.IgnoreCase);
htmlstring = Regex.Replace(htmlstring, "xp_cmdshell", "", RegexOptions.IgnoreCase);
htmlstring = Regex.Replace(htmlstring, "exec master", "", RegexOptions.IgnoreCase);
htmlstring = Regex.Replace(htmlstring, "net localgroup administrators", "", RegexOptions.IgnoreCase);
htmlstring = Regex.Replace(htmlstring, "and", "", RegexOptions.IgnoreCase);
htmlstring = Regex.Replace(htmlstring, "net user", "", RegexOptions.IgnoreCase);
htmlstring = Regex.Replace(htmlstring, "or", "", RegexOptions.IgnoreCase);
htmlstring = Regex.Replace(htmlstring, "net", "", RegexOptions.IgnoreCase);
//Htmlstring = Regex.Replace(Htmlstring, "*", "", RegexOptions.IgnoreCase);
htmlstring = Regex.Replace(htmlstring, "-", "", RegexOptions.IgnoreCase);
htmlstring = Regex.Replace(htmlstring, "delete", "", RegexOptions.IgnoreCase);
htmlstring = Regex.Replace(htmlstring, "drop", "", RegexOptions.IgnoreCase);
htmlstring = Regex.Replace(htmlstring, "script", "", RegexOptions.IgnoreCase);
//特殊的字符
htmlstring = htmlstring.Replace("<", "");
htmlstring = htmlstring.Replace(">", "");
htmlstring = htmlstring.Replace("*", "");
htmlstring = htmlstring.Replace("-", "");
htmlstring = htmlstring.Replace("?", "");
htmlstring = htmlstring.Replace("'", "''");
htmlstring = htmlstring.Replace(",", "");
htmlstring = htmlstring.Replace("/", "");
htmlstring = htmlstring.Replace(";", "");
htmlstring = htmlstring.Replace("*/", "");
htmlstring = htmlstring.Replace("\r\n", "");
htmlstring = HttpContext.Current.Server.HtmlEncode(htmlstring).Trim();
return htmlstring;
}
/// <summary>
/// DES加密
/// </summary>
/// <param name="pToEncrypt">加密字符串</param>
/// <param name="sKey">密钥</param>
/// <returns></returns>
public static string string_Encrypt(string pToEncrypt, string sKey)
{
if (pToEncrypt == "") return "";
if (sKey.Length < 8) sKey = sKey + "xuE29xWp";
if (sKey.Length > 8) sKey = sKey.Substring(0, 8);
DESCryptoServiceProvider des = new DESCryptoServiceProvider();
//把字符串放到byte数组中
//原来使用的UTF8编码我改成Unicode编码了不行
byte[] inputByteArray = Encoding.Default.GetBytes(pToEncrypt);
//建立加密对象的密钥和偏移量
//原文使用ASCIIEncoding.ASCII方法的GetBytes方法
//使得输入密码必须输入英文文本
des.Key = Encoding.Default.GetBytes(sKey);
des.IV = Encoding.Default.GetBytes(sKey);
MemoryStream ms = new MemoryStream();
CryptoStream cs = new CryptoStream(ms, des.CreateEncryptor(), CryptoStreamMode.Write);
//Write the byte array into the crypto stream
//(It will end up in the memory stream)
cs.Write(inputByteArray, 0, inputByteArray.Length);
cs.FlushFinalBlock();
//Get the data back from the memory stream, and into a string
StringBuilder ret = new StringBuilder();
foreach (byte b in ms.ToArray())
//Format as hex
ret.AppendFormat("{0:X2}", b);
return ret.ToString();
}
/// <summary>
/// DES解密
/// </summary>
/// <param name="pToDecrypt">解密字符串</param>
/// <param name="sKey">解密密钥</param>
/// <returns></returns>
public static string string_Decrypt(string pToDecrypt, string sKey)
{
if (pToDecrypt == "") return "";
if (sKey.Length < 8) sKey = sKey + "xuE29xWp";
if (sKey.Length > 8) sKey = sKey.Substring(0, 8);
try
{
DESCryptoServiceProvider des = new DESCryptoServiceProvider();
//Put the input string into the byte array
byte[] inputByteArray = new byte[pToDecrypt.Length / 2];
for (int x = 0; x < pToDecrypt.Length / 2; x++)
{
int i = (Convert.ToInt32(pToDecrypt.Substring(x * 2, 2), 16));
inputByteArray[x] = (byte)i;
}
//建立加密对象的密钥和偏移量,此值重要,不能修改
des.Key = Encoding.Default.GetBytes(sKey);
des.IV = Encoding.Default.GetBytes(sKey);
MemoryStream ms = new MemoryStream();
CryptoStream cs = new CryptoStream(ms, des.CreateDecryptor(), CryptoStreamMode.Write);
//Flush the data through the crypto stream into the memory stream
cs.Write(inputByteArray, 0, inputByteArray.Length);
cs.FlushFinalBlock();
//Get the decrypted data back from the memory stream
//建立StringBuild对象CreateDecrypt使用的是流对象必须把解密后的文本变成流对象
StringBuilder ret = new StringBuilder();
return System.Text.Encoding.Default.GetString(ms.ToArray());
}
catch
{
return "";
}
}
}
}