C#SQL注入攻击检查类SQLInjection

C# Code:

/// <summary>
/// C#SQL注入攻击检查类
/// </summary>
public static class SQLInjection
{
   private const string StrKeyWord = @"select|insert|delete|count(|drop table|update|truncate|asc(|mid(|char(|xp_cmdshell|exec master|netlocalgroup administrators|net user|""|'";
   
   /// <summary>
   /// 检查文本是否包含SQL关键字
   /// </summary>
   /// <param name="content">被检查的字符串</param>
   /// <returns>存在SQL关键字返回true，不存在返回false</returns>
   private static bool CheckKeyWord(string content)
   {
      string word = content;
      string[] patten1 = StrKeyWord.Split('|');
      foreach (string i in patten1)
      {
         if (word.Contains(" " + i) || word.Contains(i + " "))
         {
            return true;
         }
      }
      return false;
   }
   
   /// <summary>
   /// 检查文本是否注入攻击
   /// </summary>
   /// <param name="content">被检查的字符串</param>
   /// <returns></returns>
   public static bool IsAttack(string content)
   {
      if (String.IsNullOrWhiteSpace(content)) return false;
      
      //存在单引号且包含SQL命令
      return (content.Contains("'") || CheckKeyWord(content));
   }
   
   /// <summary>
   /// 移除SQL命令及单引号
   /// </summary>
   /// <param name="content">被检查的字符串</param>
   /// <returns></returns>
   public static string RemoveKeywords(string content)
   {
      if (String.IsNullOrWhiteSpace(content)) return "";
      
      //替换高危险单引号
      content = content.Replace("'", "");
      
      string[] patten1 = StrKeyWord.Split('|');
      foreach (string i in patten1)
      {
         content = content.Replace(i, "");
      }
      
      return content;
   }
   
   //来源:C/S框架网(www.csframework.com) QQ:23404761
   

C# Code:

public static void Test()
{
   Console.WriteLine(SQLInjection.IsAttack("asdf'asdf"));
   
   string sql = "测试注入攻击'xp_cmdshell spXXX asdfjalsdfasdf, select * from user";
   
   Console.WriteLine(SQLInjection.IsAttack(sql));
   Console.WriteLine(SQLInjection.RemoveKeywords(sql));
}

//来源:C/S框架网(www.csframework.com) QQ:23404761