java 过滤器filter防sql注入

时间:2025-03-23 07:23:02

public void doFilter(ServletRequest servletrequest,
			ServletResponse servletresponse, FilterChain filterchain)
			throws IOException, ServletException {
		

		//flag = true 只做URL验证; flag = false 做所有字段的验证;
		boolean flag = true;
		if(flag){
			//只对URL做xss校验
			HttpServletRequest httpServletRequest = (HttpServletRequest) servletrequest;
			HttpServletResponse httpServletResponse = (HttpServletResponse) servletresponse;
			
			String requesturi = ().toString();
			requesturi = (requesturi, "UTF-8");
			if(requesturi!=null&&("alipay_hotel_book_return.html")!=-1){
				(servletrequest, servletresponse);
				return;
			}
			if(requesturi!=null&&("account_bank_return.html")!=-1){
				(servletrequest, servletresponse);
				return;
			}
			if(requesturi!=null&&("/alipay/")!=-1){
				(servletrequest, servletresponse);
				return ;
			}
			if(requesturi!=null&&("/")!=-1){
				(servletrequest, servletresponse);
				return ;
			}
			RequestWrapper rw = new RequestWrapper(httpServletRequest);
			String param =  ();
			if(!"".equals(param) && param != null) {
				param = (param, "UTF-8");
				String originalurl = requesturi + param;
				
				String sqlParam = param;
				//添加sql注入的判断
				if(("/") || ("/member/")){
					sqlParam = (param);
				}
				
				String xssParam = (sqlParam);
				requesturi += "?"+xssParam;
				
				
				if(!(param)){
					("requesturi::::::"+requesturi);
					(requesturi);
					("no entered.");
//					(new RequestWrapper((HttpServletRequest) servletrequest), servletresponse);
					return ;
				}
			}
			(servletrequest, servletresponse);
		}else{
			
			//对请求中的所有东西都做校验,包括表单。此功能校验比较严格容易屏蔽表单正常输入,使用此功能请注意。
			(new RequestWrapper((HttpServletRequest) servletrequest), servletresponse);
		}
	}

requestMapping:

public RequestWrapper(){
		super(null);
	}

	public RequestWrapper(HttpServletRequest httpservletrequest) {
		super(httpservletrequest);
	}

	public String[] getParameterValues(String s) {
		String str[] = (s);
		if (str == null) {
			return null;
		}
		int i = ;
		String as1[] = new String[i];
		for (int j = 0; j < i; j++) {
			as1[j] = cleanXSS(cleanSQLInject(str[j]));
		}

		return as1;
	}

	public String getParameter(String s) {
		String s1 = (s);
		if (s1 == null) {
			return null;
		} else {
			return cleanXSS(cleanSQLInject(s1));
		}
	}

	public String getHeader(String s) {
		String s1 = (s);
		if (s1 == null) {
			return null;
		} else {
			return cleanXSS(cleanSQLInject(s1));
		}
	}

	public String cleanXSS(String src) {
		String temp =src;

		("xss---temp-->"+src);
        src = ("<", "<").replaceAll(">", ">");
       // if (("address")==-1)
	//	{
          src = ("\\(", "(").replaceAll("\\)", ")");
		//}
     
        src = ("'", "'");
        
        Pattern pattern=("(eval\\((.*)\\)|script)",Pattern.CASE_INSENSITIVE);   
	    Matcher matcher=(src);   
	    src = ("");

	    pattern=("[\\\"\\'][\\s]*javascript:(.*)[\\\"\\']",Pattern.CASE_INSENSITIVE); 
	    matcher=(src);
	    src = ("\"\"");
	    
	    //增加脚本 
	    src = ("script", "").replaceAll(";", "")
	    	.replaceAll("\"", "").replaceAll("@", "")
	    	.replaceAll("0x0d", "")
	    	.replaceAll("0x0a", "").replaceAll(",", "");

		if(!(src)){
			("输入信息存在xss攻击!");
			("原始输入信息-->"+temp);
			("处理后信息-->"+src);
		}
		return src;
	}
	
	//需要增加通配,过滤大小写组合
	public String cleanSQLInject(String src) {
		String temp =src;
        src = ("insert", "forbidI")
        	.replaceAll("select", "forbidS")
        	.replaceAll("update", "forbidU")
        	.replaceAll("delete", "forbidD")
        	.replaceAll("and", "forbidA")
        	.replaceAll("or", "forbidO");
        
		if(!(src)){
			("输入信息存在SQL攻击!");
			("原始输入信息-->"+temp);
			("处理后信息-->"+src);
		}
		return src;
	}

xml配置:

<filter>
		<filter-name>XssFilter</filter-name>
		<filter-class></filter-class>
		<init-param>
			<param-name>encoding</param-name>
			<param-value>UTF-8</param-value>
		</init-param>
	</filter>
	<filter-mapping>
		<filter-name>XssFilter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>


以上代码仅仅将特殊的sql字符,特殊script脚本字符处理掉,具体的页面处理还需要后台处理!!


源码下载地址:/detail/xb12369/7145235



-------------------------------------------------2018年7月10日 16:30:42 补充-------------------------------------------------

/**
     * 处理字符转义
     * @param value
     * @return
     */
    private String  processXss(String value){
        if((value)){
            return value;
        }
        value = ("<", "<").replaceAll(">", ">");
        value = ("\\(", "(").replace("\\)", ")");
        value = ("'", "'");
        value = ("eval\\((.*)\\)", "");
        value = ("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
        value = ("script", "");
        value = ("&", "&");
        return value;
    }
@Override
	public String getParameter(String parameter) {
		String value = (parameter);
		return processXss(value);
	}
@Override
	public String getHeader(String name) {
		String value = (name);
		return processXss(value);
	}