SQLの危険文字に対するユーザー入力のバッチ検出

クズども · 掲載地 2015/05/08 12:29:34

<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="testsql.aspx.cs" Inherits="TestWeb.testsql" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title></title>
</head>
<body>
<form id="form1" runat="server">
<div>
<asp:TextBox ID="TextBox1" runat="server"></asp:TextBox><asp:TextBox ID="TextBox2"
runat="server"></asp:TextBox><asp:TextBox ID="TextBox3" runat="server"></asp:TextBox>
<asp:Button ID="Button1" runat="server" Text="Button"
onclick="Button1_Click" />
</div>
</form>
</body>
</html>

コードをコピーします

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
namespace TestWeb
{
public partial class testsql : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
}
protected void Button1_Click(object sender, EventArgs e)
{
string[] userinput = new string[] { TextBox1.Text, TextBox2.Text, TextBox3.Text };
bool a=SQLinfo.sql(userinput);
Response.Write(a);
}
}
}

コードをコピーします

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Text.RegularExpressions;
namespace TestWeb
{
public class SQLinfo
{
public static bool sql(string[] inputString)
{
string SqlStr = @"and|or|exec|execute|insert|select|delete|update|alter|create|drop|count|\*|chr|char|asc|mid|substring|master|truncate|declare|xp_cmdshell|restore|backup|net +user|net +localgroup +administrators";
try
{
foreach (string sqls in inputString)
{
if ((sqls != null) && (sqls != String.Empty))
{
string str_Regex = @"\b(" + SqlStr + @")\b";
Regex Regex = new Regex(str_Regex, RegexOptions.IgnoreCase);
//string s = Regex.Match(inputString).Value;
if (true == Regex.IsMatch(sqls))
return false;
}
}
}
catch
{
return false;
}
return true;
}
}
}

コードをコピーします

[ASP.NET] SQLの危険文字に対するユーザー入力のバッチ検出