KN_CAMP_SOFTWARE_TEST/Code/ClassLib/ZHYQ/Common/StringBuilderExtend.cs

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;

namespace FangYar.Common
{
    /// <summary>
    /// 扩展StringBuilder方法
    /// 防止Sql注入
    /// </summary>
    public static class StringBuilderExtend
    {
        /// <summary>
        ///使用方法：StringBuilder sql = new StringBuilder().Append(" select * from UserInfo where 1=1");
        ///sql.AppendFormatWithSafe(" and RealName like '%{0}%'", model.Item.RealName, sql);
        /// </summary>
        /// <param name="thistringbuilder">StringBuilder对象</param>
        /// <param name="format">format字符串</param>
        /// <param name="prop">属性字段</param>
        /// <param name="strsql">sql字符串</param>
        /// <returns></returns>
        public static StringBuilder AppendFormatWithSafe(this StringBuilder thistringbuilder, string format, object prop, StringBuilder strsql)
        {
            strsql.AppendFormat(format,
                ((string)prop)
                .ToLower()
                .Replace("update", "")
                .Replace("delete", "")
                .Replace("select", "")
                .Replace("insert", "")
                .Replace("from", "")
                .Replace("or", "")
                .Replace("'", "")
                .Replace("@", "")
                .Trim()
             );
            return strsql;
        }

    }
}