def sql_filter(sql, max_length=20):
    '''校验SQL非法字符串
    '''
    dirty_stuff = ["\"", "\\", "/", "*", "'", "=", "-", "#", ";", "<", ">", "+", "%", "$", "(", ")", "%", "@","!"]
    if len(sql)>max_length:
        print('字符串超过max_length，将只采用前max_length位字符')
        return escape_string(sql[:max_length])
    if any(stuff in dirty_stuff for stuff in sql):
        print("检测到非法SQL字符，IP已记录，您将无法再访问")
        return ""
    else:
        # for stuff in dirty_stuff:
        #     sql = sql.replace(stuff, "")
        print('SQL校验通过:',sql[:max_length])
        return escape_string(sql[:max_length])