The so-called sql injection is to insert the sql command into the sql statement by inputting the request, which has achieved the purpose of deceiving the server.
Assuming that the server side wants to obtain the player's data, the following sql statement may be used
string sql = "select *from player where id = " + id ;
Of course, under normal circumstances, this statement can complete the work of reading data, but if a player maliciously registers a similar
"xiaoming;delete *form player"
With such a name, this sql statement will become the following two statements.
select *from player where id = xiaoming ;delete *form player ;
After executing such a statement, all the data in the player table will be cleared, and the consequences will be disastrous. If special characters containing commas, semicolons, etc. are judged as unsafe characters, and security checks are performed before assembling SQL statements, SQL injection can be effectively prevented. The code is as follows:
//
Determine safe characters
public bool IsSafeStr (string str)
{
return !Regex.IsMatch (str ,@"[-|;|,|\/|\(|\)|\[|\]|\}|\{|%|@|\*|!|\']");
}