用過濾器防sql注入
阿新 • • 發佈:2020-12-25
技術標籤:問題集用過濾器防sql注入防sql注入過濾器解決sql注入
使用過濾器是解決sql注入的一種方式,其它可以前端校驗處理等
過濾器寫法:
package XXX.utils; import javax.servlet.*; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; import java.util.Enumeration; /** * sql注入過濾器 * @Date 2020/12/24 **/ public class SqlInjectionFilter implements Filter{ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest) request; HttpServletResponse res = (HttpServletResponse) response; //獲得所有請求引數名 Enumeration params = req.getParameterNames(); String sql = ""; while (params.hasMoreElements()) { //得到引數名 String name = params.nextElement().toString(); //System.out.println("name===========================" + name + "--"); //得到引數對應值 String[] value = req.getParameterValues(name); for (int i = 0; i < value.length; i++) { sql = sql + value[i]; } } //System.out.println("============================SQL"+sql); //有sql關鍵字,跳轉到error.html if (sqlValidate(sql)) { throw new IOException("您傳送請求中的引數中含有非法字元"); } else { chain.doFilter(req, res); } } //效驗 protected static boolean sqlValidate(String str) { str = str.toLowerCase();//統一轉為小寫 //String badStr = "'|and|exec|execute|insert|select|delete|update|count|drop|*|%|chr|mid|master|truncate|char|declare|sitename|net user|xp_cmdshell|;|or|-|+|,|like"; String badStr = "'|and|exec|execute|insert|create|drop|table|from|grant|use|group_concat|column_name|" + "information_schema.columns|table_schema|union|where|select|delete|update|order|by|count|*|" + "chr|mid|master|truncate|char|declare|or|;|-|--|+|,|like|//|/|%|#";//過濾掉的sql關鍵字,可以手動新增 String[] badStrs = badStr.split("\\|"); for (int i = 0; i < badStrs.length; i++) { if (str.indexOf(badStrs[i]) !=-1) { return true; } } return false; } public void init(FilterConfig filterConfig) throws ServletException { //throw new UnsupportedOperationException("Not supported yet."); } public void destroy() { //throw new UnsupportedOperationException("Not supported yet."); } }
web.xml中做配置
<filter> <filter-name>SqlInjectionFilter</filter-name> <filter-class>com.hnac.hzinfo.common.utils.SqlInjectionFilter</filter-class> </filter> <filter-mapping> <filter-name>SqlInjectionFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>