java 过滤器filter防sql注入的实现代码
程序员文章站
2024-03-13 12:18:33
实例如下:
xssfilter.java
public void dofilter(servletrequest servletrequest,
ser...
实例如下:
xssfilter.java
public void dofilter(servletrequest servletrequest, servletresponse servletresponse, filterchain filterchain) throws ioexception, servletexception { //flag = true 只做url验证; flag = false 做所有字段的验证; boolean flag = true; if(flag){ //只对url做xss校验 httpservletrequest httpservletrequest = (httpservletrequest) servletrequest; httpservletresponse httpservletresponse = (httpservletresponse) servletresponse; string requesturi = httpservletrequest.getrequesturl().tostring(); requesturi = urldecoder.decode(requesturi, "utf-8"); if(requesturi!=null&&requesturi.indexof("alipay_hotel_book_return.html")!=-1){ filterchain.dofilter(servletrequest, servletresponse); return; } if(requesturi!=null&&requesturi.indexof("account_bank_return.html")!=-1){ filterchain.dofilter(servletrequest, servletresponse); return; } if(requesturi!=null&&requesturi.indexof("/alipay/activity.html")!=-1){ filterchain.dofilter(servletrequest, servletresponse); return ; } if(requesturi!=null&&requesturi.indexof("/alipaylogin.html")!=-1){ filterchain.dofilter(servletrequest, servletresponse); return ; } requestwrapper rw = new requestwrapper(httpservletrequest); string param = httpservletrequest.getquerystring(); if(!"".equals(param) && param != null) { param = urldecoder.decode(param, "utf-8"); string originalurl = requesturi + param; string sqlparam = param; //添加sql注入的判断 if(requesturi.endswith("/askquestion.html") || requesturi.endswith("/member/answer.html")){ sqlparam = rw.cleansqlinject(param); } string xssparam = rw.cleanxss(sqlparam); requesturi += "?"+xssparam; if(!xssparam.equals(param)){ system.out.println("requesturi::::::"+requesturi); httpservletresponse.sendredirect(requesturi); system.out.println("no entered."); // filterchain.dofilter(new requestwrapper((httpservletrequest) servletrequest), servletresponse); return ; } } filterchain.dofilter(servletrequest, servletresponse); }else{ //对请求中的所有东西都做校验,包括表单。此功能校验比较严格容易屏蔽表单正常输入,使用此功能请注意。 filterchain.dofilter(new requestwrapper((httpservletrequest) servletrequest), servletresponse); } } requestmapping: public requestwrapper(){ super(null); } public requestwrapper(httpservletrequest httpservletrequest) { super(httpservletrequest); } public string[] getparametervalues(string s) { string str[] = super.getparametervalues(s); if (str == null) { return null; } int i = str.length; string as1[] = new string[i]; for (int j = 0; j < i; j++) { as1[j] = cleanxss(cleansqlinject(str[j])); } return as1; } public string getparameter(string s) { string s1 = super.getparameter(s); if (s1 == null) { return null; } else { return cleanxss(cleansqlinject(s1)); } } public string getheader(string s) { string s1 = super.getheader(s); if (s1 == null) { return null; } else { return cleanxss(cleansqlinject(s1)); } } public string cleanxss(string src) { string temp =src; system.out.println("xss---temp-->"+src); src = src.replaceall("<", "<").replaceall(">", ">"); // if (src.indexof("address")==-1) // { src = src.replaceall("\\(", "(").replaceall("\\)", ")"); //} src = src.replaceall("'", "'"); pattern pattern=pattern.compile("(eval\\((.*)\\)|script)",pattern.case_insensitive); matcher matcher=pattern.matcher(src); src = matcher.replaceall(""); pattern=pattern.compile("[\\\"\\'][\\s]*javascript:(.*)[\\\"\\']",pattern.case_insensitive); matcher=pattern.matcher(src); src = matcher.replaceall("\"\""); //增加脚本 src = src.replaceall("script", "").replaceall(";", "") .replaceall("\"", "").replaceall("@", "") .replaceall("0x0d", "") .replaceall("0x0a", "").replaceall(",", ""); if(!temp.equals(src)){ system.out.println("输入信息存在xss攻击!"); system.out.println("原始输入信息-->"+temp); system.out.println("处理后信息-->"+src); } return src; } //需要增加通配,过滤大小写组合 public string cleansqlinject(string src) { string temp =src; src = src.replaceall("insert", "forbidi") .replaceall("select", "forbids") .replaceall("update", "forbidu") .replaceall("delete", "forbidd") .replaceall("and", "forbida") .replaceall("or", "forbido"); if(!temp.equals(src)){ system.out.println("输入信息存在sql攻击!"); system.out.println("原始输入信息-->"+temp); system.out.println("处理后信息-->"+src); } return src; }
xml配置:
<filter> <filter-name>xssfilter</filter-name> <filter-class>cn.com.jsoft.xss.xssfilter</filter-class> <init-param> <param-name>encoding</param-name> <param-value>utf-8</param-value> </init-param> </filter> <filter-mapping> <filter-name>xssfilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
以上代码仅仅将特殊的sql字符,特殊script脚本字符处理掉,具体的页面处理还需要后台处理!!
关于这篇java 过滤器filter防sql注入的实现代码就是小编分享给大家的全部内容了,希望能给大家一个参考,也希望大家多多支持。
上一篇: 一个简陋的java图书管理系统