java 过滤器filter防sql注入的实现代码
程序员文章站
2024-03-13 21:12:52
实例如下:
xssfilter.java
public void dofilter(servletrequest servletrequest,
ser...
实例如下:
xssfilter.java
public void dofilter(servletrequest servletrequest,
servletresponse servletresponse, filterchain filterchain)
throws ioexception, servletexception {
//flag = true 只做url验证; flag = false 做所有字段的验证;
boolean flag = true;
if(flag){
//只对url做xss校验
httpservletrequest httpservletrequest = (httpservletrequest) servletrequest;
httpservletresponse httpservletresponse = (httpservletresponse) servletresponse;
string requesturi = httpservletrequest.getrequesturl().tostring();
requesturi = urldecoder.decode(requesturi, "utf-8");
if(requesturi!=null&&requesturi.indexof("alipay_hotel_book_return.html")!=-1){
filterchain.dofilter(servletrequest, servletresponse);
return;
}
if(requesturi!=null&&requesturi.indexof("account_bank_return.html")!=-1){
filterchain.dofilter(servletrequest, servletresponse);
return;
}
if(requesturi!=null&&requesturi.indexof("/alipay/activity.html")!=-1){
filterchain.dofilter(servletrequest, servletresponse);
return ;
}
if(requesturi!=null&&requesturi.indexof("/alipaylogin.html")!=-1){
filterchain.dofilter(servletrequest, servletresponse);
return ;
}
requestwrapper rw = new requestwrapper(httpservletrequest);
string param = httpservletrequest.getquerystring();
if(!"".equals(param) && param != null) {
param = urldecoder.decode(param, "utf-8");
string originalurl = requesturi + param;
string sqlparam = param;
//添加sql注入的判断
if(requesturi.endswith("/askquestion.html") || requesturi.endswith("/member/answer.html")){
sqlparam = rw.cleansqlinject(param);
}
string xssparam = rw.cleanxss(sqlparam);
requesturi += "?"+xssparam;
if(!xssparam.equals(param)){
system.out.println("requesturi::::::"+requesturi);
httpservletresponse.sendredirect(requesturi);
system.out.println("no entered.");
// filterchain.dofilter(new requestwrapper((httpservletrequest) servletrequest), servletresponse);
return ;
}
}
filterchain.dofilter(servletrequest, servletresponse);
}else{
//对请求中的所有东西都做校验,包括表单。此功能校验比较严格容易屏蔽表单正常输入,使用此功能请注意。
filterchain.dofilter(new requestwrapper((httpservletrequest) servletrequest), servletresponse);
}
}
requestmapping:
public requestwrapper(){
super(null);
}
public requestwrapper(httpservletrequest httpservletrequest) {
super(httpservletrequest);
}
public string[] getparametervalues(string s) {
string str[] = super.getparametervalues(s);
if (str == null) {
return null;
}
int i = str.length;
string as1[] = new string[i];
for (int j = 0; j < i; j++) {
as1[j] = cleanxss(cleansqlinject(str[j]));
}
return as1;
}
public string getparameter(string s) {
string s1 = super.getparameter(s);
if (s1 == null) {
return null;
} else {
return cleanxss(cleansqlinject(s1));
}
}
public string getheader(string s) {
string s1 = super.getheader(s);
if (s1 == null) {
return null;
} else {
return cleanxss(cleansqlinject(s1));
}
}
public string cleanxss(string src) {
string temp =src;
system.out.println("xss---temp-->"+src);
src = src.replaceall("<", "<").replaceall(">", ">");
// if (src.indexof("address")==-1)
// {
src = src.replaceall("\\(", "(").replaceall("\\)", ")");
//}
src = src.replaceall("'", "'");
pattern pattern=pattern.compile("(eval\\((.*)\\)|script)",pattern.case_insensitive);
matcher matcher=pattern.matcher(src);
src = matcher.replaceall("");
pattern=pattern.compile("[\\\"\\'][\\s]*javascript:(.*)[\\\"\\']",pattern.case_insensitive);
matcher=pattern.matcher(src);
src = matcher.replaceall("\"\"");
//增加脚本
src = src.replaceall("script", "").replaceall(";", "")
.replaceall("\"", "").replaceall("@", "")
.replaceall("0x0d", "")
.replaceall("0x0a", "").replaceall(",", "");
if(!temp.equals(src)){
system.out.println("输入信息存在xss攻击!");
system.out.println("原始输入信息-->"+temp);
system.out.println("处理后信息-->"+src);
}
return src;
}
//需要增加通配,过滤大小写组合
public string cleansqlinject(string src) {
string temp =src;
src = src.replaceall("insert", "forbidi")
.replaceall("select", "forbids")
.replaceall("update", "forbidu")
.replaceall("delete", "forbidd")
.replaceall("and", "forbida")
.replaceall("or", "forbido");
if(!temp.equals(src)){
system.out.println("输入信息存在sql攻击!");
system.out.println("原始输入信息-->"+temp);
system.out.println("处理后信息-->"+src);
}
return src;
}
xml配置:
<filter> <filter-name>xssfilter</filter-name> <filter-class>cn.com.jsoft.xss.xssfilter</filter-class> <init-param> <param-name>encoding</param-name> <param-value>utf-8</param-value> </init-param> </filter> <filter-mapping> <filter-name>xssfilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
以上代码仅仅将特殊的sql字符,特殊script脚本字符处理掉,具体的页面处理还需要后台处理!!
关于这篇java 过滤器filter防sql注入的实现代码就是小编分享给大家的全部内容了,希望能给大家一个参考,也希望大家多多支持。
上一篇: php中序列化与反序列化详解
下一篇: php数组指针操作详解