36套java进阶高级架构师视频+38套大数据视频 保证全是硬货需要的
+微信:
du13797566440
/**
* 作者: dlj
* 时间: 2018年1月16日 上午9:37:04
*/
public class AntiSqlInjectionfilter implements Filter {
private Logger logger = LoggerFactory.getLogger(AntiSqlInjectionfilter.class);
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse resp = (HttpServletResponse) response;
resp.setHeader("X-xss-protection","1;mode=block" );
//获得所有请求的参数名
Enumeration params = req.getParameterNames();
String sql = "";
while (params.hasMoreElements()) {
//得到参数名
String param = params.nextElement().toString();
//得到参数对应值
String[] value = req.getParameterValues(param);
for(int i = 0;i < value.length;i++){
sql = sql + value[i];
}
}
if(sqlValidate(sql)){
//有异常参数
}else{
}
chain.doFilter(request, response); //暂时先不返回错误页面,正常走
}
@Override
public void destroy() {
}
protected static boolean sqlValidate(String str){
str = str.toLowerCase();//统一转为小写
String badStr = "'|and|exec|execute|insert|select|delete|update|count|drop|*|%|chr|mid|master|truncate|" +
"char|declare|sitename|net user|xp_cmdshell|;|or|-|+|,|like'|and|exec|execute|insert|create|drop|" +
"table|from|grant|use|group_concat|column_name|" +
"information_schema.columns|table_schema|union|where|select|delete|update|order|by|count|*|" +
"chr|mid|master|truncate|char|declare|or|;|-|--|+|,|like|//|/|%|#";//过滤掉的sql关键字,可以手动添加
String[] badStrs = badStr.split("\\|");
for (int i = 0; i < badStrs.length; i++) {
if (str.indexOf(badStrs[i]) >= 0) {
return true;
}
}
return false;
}
// public static void main(String[] args){
// String str = "*andadCVs*34_a _09_b5*[/435^*&城池()^$$&*).{}+.|.)%or%*(*.中国}34{45[]12.fd'*&999下面是中文的字符¥……{}【】。,;’“‘”?";
// System.out.println("str = " + sqlValidate(str));
// }
}
-------------------------------
web.xml中添加配置
<!-- 防止sql注入拦截器 -->
<filter>
<description>防止sql注入拦截</description>
<filter-name>antiSqlInjectionfilter</filter-name>
<filter-class>com.zte.web.filter.AntiSqlInjectionfilter</filter-class>
</filter>
<filter-mapping>
<filter-name>antiSqlInjectionfilter</filter-name>
<url-pattern>*.shtml</url-pattern>
</filter-mapping>