过滤SQL关键字 防注入

  /// <summary>
    /// 过滤SQL关键字 防注入
    /// </summary>
    /// <param name="sWord">来自用户输入的字符串</param>
    /// <returns></returns>
    public static string FilterIllegalChar(string Htmlstring)
    {
        if (Htmlstring == "") //如果字符串为空，直接返回。
        {
            return Htmlstring;
        }
        else
        {
            Htmlstring = Regex.Replace(Htmlstring, "select", "", RegexOptions.IgnoreCase);
            Htmlstring = Regex.Replace(Htmlstring, "insert", "", RegexOptions.IgnoreCase);
            Htmlstring = Regex.Replace(Htmlstring, "delete from", "", RegexOptions.IgnoreCase);
            Htmlstring = Regex.Replace(Htmlstring, "count''", "", RegexOptions.IgnoreCase);
            Htmlstring = Regex.Replace(Htmlstring, "drop table", "", RegexOptions.IgnoreCase);
            Htmlstring = Regex.Replace(Htmlstring, "truncate", "", RegexOptions.IgnoreCase);
            Htmlstring = Regex.Replace(Htmlstring, "asc", "", RegexOptions.IgnoreCase);
            Htmlstring = Regex.Replace(Htmlstring, "mid", "", RegexOptions.IgnoreCase);
            Htmlstring = Regex.Replace(Htmlstring, "char", "", RegexOptions.IgnoreCase);
            Htmlstring = Regex.Replace(Htmlstring, "xp_cmdshell", "", RegexOptions.IgnoreCase);
            Htmlstring = Regex.Replace(Htmlstring, "exec master", "", RegexOptions.IgnoreCase);
            Htmlstring = Regex.Replace(Htmlstring, "net localgroup administrators", "", RegexOptions.IgnoreCase);
            Htmlstring = Regex.Replace(Htmlstring, "and", "", RegexOptions.IgnoreCase);
            Htmlstring = Regex.Replace(Htmlstring, "net user", "", RegexOptions.IgnoreCase);
            Htmlstring = Regex.Replace(Htmlstring, " or ", "", RegexOptions.IgnoreCase);
            Htmlstring = Regex.Replace(Htmlstring, "net", "", RegexOptions.IgnoreCase);
            Htmlstring = Regex.Replace(Htmlstring, "delete", "", RegexOptions.IgnoreCase);
            Htmlstring = Regex.Replace(Htmlstring, "drop", "", RegexOptions.IgnoreCase);
            Htmlstring = Regex.Replace(Htmlstring, "script", "", RegexOptions.IgnoreCase);
            Htmlstring = Regex.Replace(Htmlstring, "'", "");
            Htmlstring = Regex.Replace(Htmlstring, "<", "");
            Htmlstring = Regex.Replace(Htmlstring, ">", "");
            Htmlstring = Regex.Replace(Htmlstring, "%", "");
            Htmlstring = Regex.Replace(Htmlstring, "''", "");
            Htmlstring = Regex.Replace(Htmlstring, "\"\"", "");
            Htmlstring = Regex.Replace(Htmlstring, ",", "");
            Htmlstring = Regex.Replace(Htmlstring, "\\.", "");
            Htmlstring = Regex.Replace(Htmlstring, ">=", "");
            Htmlstring = Regex.Replace(Htmlstring, "=<", "");
            Htmlstring = Regex.Replace(Htmlstring, "-", "");
            Htmlstring = Regex.Replace(Htmlstring, "_", "");
            Htmlstring = Regex.Replace(Htmlstring, ";", "");
            Htmlstring = Regex.Replace(Htmlstring, "||", "");
            Htmlstring = Regex.Replace(Htmlstring, "\\[", "");
            Htmlstring = Regex.Replace(Htmlstring, "]", "");
            Htmlstring = Regex.Replace(Htmlstring, "&", "");
            Htmlstring = Regex.Replace(Htmlstring, "/", "");
            Htmlstring = Regex.Replace(Htmlstring, "-", "");
            Htmlstring = Regex.Replace(Htmlstring, "|", "");
            Htmlstring = Regex.Replace(Htmlstring, "\\?", "");
            Htmlstring = Regex.Replace(Htmlstring, ">?", "");
            Htmlstring = Regex.Replace(Htmlstring, "\\?<", "");
            Htmlstring = Regex.Replace(Htmlstring, " ", "");

            return Htmlstring;
        }
    }