EntityFrameWork(以后簡稱EF)作為一款ORM非常的實用,能夠大幅度的提高開發速度,但是EF的實質也是sql語句,同樣需要防sql注入,在這里利用過濾器的特性來實現過濾特殊字符。
1.首先是過濾的代碼
1 public class SqlFilterAttribute : FilterAttribute, IActionFilter 2 { 3 4 public void OnActionExecuted(ActionExecutedContext filterContext) 5 { 6 throw new NotImplementedException(); 7 } 8 9 public void OnActionExecuting(ActionExecutingContext filterContext) 10 { 11 //獲得action的參數 12 var actions = filterContext.ActionDescriptor.GetParameters(); 13 14 //遍歷所有的參數 15 foreach (var action in actions) 16 { 17 if (action.ParameterType == typeof(string)) 18 { 19 if (filterContext.ActionParameters[action.ParameterName] != null) 20 { 21 filterContext.ActionParameters[action.ParameterName] = SqlFilter(filterContext.ActionParameters[action.ParameterName].ToString()); 22 } 23 } 24 } 25 } 26 27 private const string SQL_FILTER_STRINGS = "=,',:, or ,select,update,insert,delete,declare,exec,drop,create,%,--"; 28 29 /// <summary> 30 /// 過濾字符串 31 /// </summary> 32 /// <param name="filterStr"></param> 33 /// <returns></returns> 34 private string SqlFilter(string filterStr) 35 { 36 if (!string.IsNullOrEmpty(filterStr)) 37 { 38 foreach (var item in SQL_FILTER_STRINGS.Split(',')) 39 { 40 //替換掉特殊字符 41 filterStr = filterStr.ToLower().Replace(item, ""); 42 } 43 } 44 return filterStr; 45 } 46 }
2.調用sql過濾
public class DefaultController : Controller { // GET: Default public ActionResult Index() { return View(); } [HttpPost] [SqlFilter] public ActionResult Index(string s) { return View(); } }
測試之后發現要求過濾的字符確實被過濾掉了。