springboot專案防止sql注入
原文地址:https://blog.csdn.net/weixin_39728880/article/details/101029681
在專案中我們經常會遇到這些sql注入的問題,這邊我介紹的是通過filter攔截的方式進行過濾一些sql指令碼的注入,在平時程式設計的時候我們也要注意,在程式中編寫sql指令碼(mapper.xml) 檔案的時候能用#儘量用#,避免一個惡意攻擊網站的人。
首先介紹一下#和$的區別:
- #{}:佔位符號,好處防止sql注入,自帶單引號變數
- ${}:sql拼接符號,原生變數
接下來介紹寫在java專案中(springboot)如何通過webFilter防止sql注入:
/**private String regx;
public void init(FilterConfig filterConfig) throws ServletException {
this.regx = filterConfig.getInitParameter("regx");
}
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) servletRequest;
Map parametersMap = servletRequest.getParameterMap();
Iterator it = parametersMap.entrySet().iterator();
while (it.hasNext()) {
Map.Entry entry = (Map.Entry) it.next();
String[] value = (String[]) entry.getValue();
for (int i = 0; i < value.length; i++) {
if (null != value[i] && value[i].matches(this.regx)) {
log.error("您輸入的引數有非法字元,請輸入正確的引數!");
servletRequest.setAttribute("err", "您輸入的引數有非法字元,請輸入正確的引數!");
servletRequest.setAttribute("pageUrl",req.getRequestURI());
servletRequest.getRequestDispatcher(servletRequest.getServletContext().getContextPath() + "/error").forward(servletRequest, servletResponse);
return;
}
}
}
}
filterChain.doFilter(servletRequest, servletResponse);}
public void destroy() {
}
}
啟動類上記得加註解:
@ServletComponentScan(basePackages ="xxxx.xxx.xxx.filter") //filter所在的包,掃描