2. 技术
    3. JavaWeb项目解决 sql 注入问题(过滤器进行过滤解决)

    JavaWeb项目解决 sql 注入问题(过滤器进行过滤解决)

    技术2023-08-22  89

    **

    1、编写过滤器类—SqlFilter.java

    **

    package com.yl.zp.controller; import java.io.IOException; import java.util.Enumeration; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.springframework.stereotype.Component; @Component public class SqlFilter implements Filter { @Override public void init(FilterConfig filterConfig) throws ServletException { // TODO 自动生成的方法存根 } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest) request; HttpServletResponse res = (HttpServletResponse) response; //获得所有请求参数名 Enumeration params = req.getParameterNames(); String sql = ""; while (params.hasMoreElements()) { //得到参数名 String name = params.nextElement().toString(); //System.out.println("name===========================" + name + "--"); //得到参数对应值 String[] value = req.getParameterValues(name); for (int i = 0; i < value.length; i++) { sql = sql + value[i]; } } System.out.println("被匹配字符串:"+sql); if (sqlValidate(sql)) { //res.sendRedirect("error.jsp"); System.out.println("发现sql注入。。。。。。。"); } else { chain.doFilter(req, res); } } @Override public void destroy() { // TODO 自动生成的方法存根 } //校验 protected static boolean sqlValidate(String str) { str = str.toLowerCase();//统一转为小写 //String badStr = "and|exec"; String badStr = "'|and|exec|execute|insert|select|delete| update|count|drop|chr|mid|master|truncate|char|declare|sitename|net user|xp_cmdshell|or|like|-|--|+|,|like|//|/|%| #"; /*String badStr = "'|and|exec|execute|insert|create|drop|table|from|grant|use|group_concat|column_name|" + "information_schema.columns|table_schema|union|where|select|delete|update|order|by|count|*|" + "chr|mid|master|truncate|char|declare|or|;|-|--|+|,|like|//|/|%|#"; */ //过滤掉的sql关键字,可以手动添加 String[] badStrs = badStr.split("\\|"); for (int i = 0; i < badStrs.length; i++) { if (str.indexOf(badStrs[i]) !=-1) { System.out.println("匹配到:"+badStrs[i]); return true; } } return false; } }

    **

    2、在 web.xml 中配置过滤器

    **

    <filter> <filter-name>SqlFilter</filter-name> <filter-class>com.yl.zp.controller.SqlFilter</filter-class> </filter> <filter-mapping> <filter-name>SqlFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>

    这样就可以了,这样的配置会拦截所有的请求,对请求中的参数进行检验。

    ========================================================= 如有问题,可加我互相学习探讨:QQ:839785192

    Processed: 0.009, SQL: 10