文件名称:java sql注入l
文件大小:777B
文件格式:BAT
更新时间:2015-10-22 09:49:01
sql注入
package com.tarena.dingdang.filter;
02
03 import java.io.IOException;
04 import java.util.Enumeration;
05
06 import javax.servlet.Filter;
07 import javax.servlet.FilterChain;
08 import javax.servlet.FilterConfig;
09 import javax.servlet.ServletException;
10 import javax.servlet.ServletRequest;
11 import javax.servlet.ServletResponse;
12 import javax.servlet.http.HttpServletRequest;
13
14 public class AntiSqlInjectionfilter implements Filter {
15
16 public void destroy() {
17 // TODO Auto-generated method stub
18 }
19
20 public void init(FilterConfig arg0) throws ServletException {
21 // TODO Auto-generated method stub
22 }
23
24 public void doFilter(ServletRequest args0, ServletResponse args1,
25 FilterChain chain) throws IOException, ServletException {
26 HttpServletRequest req=(HttpServletRequest)args0;
27 HttpServletRequest res=(HttpServletRequest)args1;
28 //获得所有请求参数名
29 Enumeration params = req.getParameterNames();
30 String sql = "";
31 while (params.hasMoreElements()) {
32 //得到参数名
33 String name = params.nextElement().toString();
34 //System.out.println("name===========================" + name + "--");
35 //得到参数对应值
36 String[] value = req.getParameterValues(name);
37 for (int i = 0; i < value.length; i++) {
38 sql = sql + value[i];
39 }
40 }
41 //System.out.println("============================SQL"+sql);
42 //有sql关键字,跳转到error.html
43 if (sqlValidate(sql)) {
44 throw new IOException("您发送请求中的参数中含有非法字符");
45 //String ip = req.getRemoteAddr();
46 } else {
47 chain.doFilter(args0,args1);
48 }
49 }
50
51 //效验
52 protected static boolean sqlValidate(String str) {
53 str = str.toLowerCase();//统一转为小写
54 String badStr = "'|and|exec|execute|insert|select|delete|update|count|drop|*|%|chr|mid|master|truncate|" +
55 "char|declare|sitename|net user|xp_cmdshell|;|or|-|+|,|like'|and|exec|execute|insert|create|drop|" +
56 "table|from|grant|use|group_concat|column_name|" +
57 "information_schema.columns|table_schema|union|where|select|delete|update|order|by|count|*|" +
58 "chr|mid|master|truncate|char|declare|or|;|-|--|+|,|like|//|/|%|#";//过滤掉的sql关键字,可以手动添加
59 String[] badStrs = badStr.split("\\|");
60 for (int i = 0; i < badStrs.length; i++) {
61 if (str.indexOf(badStrs[i]) >= 0) {
62 return true;
63 }
64 }
65 return false;
66 }
67 }
68
69
70 <!--在web.xml文件中的配置-->
71 <!-- 防止SQL注入的过滤器 -->
72