以下针对c#.net

首先添加引用Microsoft.VisualBasic.Dll

引入命名空间using Microsoft.VisualBasic;


使用Replace方法，以下为参数：


Strings.Replace(原字符串的内容,要替换的字段内容,替换后的字段内容,从第几位开始替换(注意默认为1),替换的次数(-1表示所有),是否无视大小写);


例：

       public static string cutHtml(string str)

       {


           str = Strings.Replace(str, "<", "", 1, -1, CompareMethod.Text);

           str = Strings.Replace(str, ">", "", 1, -1, CompareMethod.Text);

           str = Strings.Replace(str, """, "", 1, -1, CompareMethod.Text);

           str = Strings.Replace(str, "delete", "", 1, -1, CompareMethod.Text);

           str = Strings.Replace(str, "script", "", 1, -1, CompareMethod.Text);

           str = Strings.Replace(str, "update", "", 1, -1, CompareMethod.Text);

           str = Strings.Replace(str, "exec", "", 1, -1, CompareMethod.Text);

           str = Strings.Replace(str, "insert", "", 1, -1, CompareMethod.Text);        

           str = Strings.Replace(str, "object", "", 1, -1, CompareMethod.Text);

           str = Strings.Replace(str, "function", "", 1, -1, CompareMethod.Text);

           str = Strings.Replace(str, "drop", "", 1, -1, CompareMethod.Text);

           str = Strings.Replace(str, "rename", "", 1, -1, CompareMethod.Text);

           str = Strings.Replace(str, "mid", "", 1, -1, CompareMethod.Text);

           str = Strings.Replace(str, "exists", "", 1, -1, CompareMethod.Text);

           str = Strings.Replace(str, "alter", "", 1, -1, CompareMethod.Text);

           str = Strings.Replace(str, "\"", "", 1, -1, CompareMethod.Text);

           str = Strings.Replace(str, "\'", "", 1, -1, CompareMethod.Text);

           str = Strings.Replace(str, ";", "", 1, -1, CompareMethod.Text);

           str = Strings.Replace(str, ",", "", 1, -1, CompareMethod.Text);


           return str;

       }

如果您有更好的防sql注入方法请留言 我将非常感谢