欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

Java防SQL注入工具类 博客分类: javasql javasql注入 

程序员文章站 2024-03-09 17:10:11
...

 

import javax.servlet.http.HttpServletRequest;

/**
 * 防SQL注入工具类
 * 把SQL关键字替换为空字符串
 * @author zhao
 * @since 2015.7.23
 */
public class AntiSqlInjection {
	
	public final static String regex = "'|%|--|and|or|not|use|insert|delete|update|select|count|group|union" +
						"|create|drop|truncate|alter|grant|execute|exec|xp_cmdshell|call|declare|source|sql";

	/**
	 * 把SQL关键字替换为空字符串
	 * @param param
	 * @return
	 */
	public static String filter(String param){
		if(param == null){
			return param;
		}
		return param.replaceAll("(?i)"+regex, "");	//(?i)不区分大小写替换
	}
	
	/**
	 * 返回经过防注入处理的字符串
	 * @param request
	 * @param name
	 * @return
	 */
	public static String getParameter(HttpServletRequest request, String name){
		return AntiSqlInjection.filter(request.getParameter(name));
	}
	
	public static void main(String[] args) {
		//System.out.println(StringEscapeUtils.escapeSql("1' or '1' = '1; drop table test")); //1'' or ''1'' = ''1; drop table test
		String str = "sElect * from test where id = 1 And name != 'sql' ";
		String outStr = "";
		for(int i=0; i<1000; i++){
			outStr = AntiSqlInjection.filter(str);
		}
		System.out.println(outStr);
	}
}

 

参考:

java类过滤器,防止页面SQL注入

http://www.oschina.net/code/snippet_811941_14131

Java防止SQL注入的几个途径

http://helloklzs.iteye.com/blog/1329578

 

相关标签: java sql 注入