java 过滤器filter防sql注入的实现代码
实例如下:
XSSFilter.java
publicvoiddoFilter(ServletRequestservletrequest,
ServletResponseservletresponse,FilterChainfilterchain)
throwsIOException,ServletException{
//flag=true只做URL验证;flag=false做所有字段的验证;
booleanflag=true;
if(flag){
//只对URL做xss校验
HttpServletRequesthttpServletRequest=(HttpServletRequest)servletrequest;
HttpServletResponsehttpServletResponse=(HttpServletResponse)servletresponse;
Stringrequesturi=httpServletRequest.getRequestURL().toString();
requesturi=URLDecoder.decode(requesturi,"UTF-8");
if(requesturi!=null&&requesturi.indexOf("alipay_hotel_book_return.html")!=-1){
filterchain.doFilter(servletrequest,servletresponse);
return;
}
if(requesturi!=null&&requesturi.indexOf("account_bank_return.html")!=-1){
filterchain.doFilter(servletrequest,servletresponse);
return;
}
if(requesturi!=null&&requesturi.indexOf("/alipay/activity.html")!=-1){
filterchain.doFilter(servletrequest,servletresponse);
return;
}
if(requesturi!=null&&requesturi.indexOf("/alipayLogin.html")!=-1){
filterchain.doFilter(servletrequest,servletresponse);
return;
}
RequestWrapperrw=newRequestWrapper(httpServletRequest);
Stringparam=httpServletRequest.getQueryString();
if(!"".equals(param)&¶m!=null){
param=URLDecoder.decode(param,"UTF-8");
Stringoriginalurl=requesturi+param;
StringsqlParam=param;
//添加sql注入的判断
if(requesturi.endsWith("/askQuestion.html")||requesturi.endsWith("/member/answer.html")){
sqlParam=rw.cleanSQLInject(param);
}
StringxssParam=rw.cleanXSS(sqlParam);
requesturi+="?"+xssParam;
if(!xssParam.equals(param)){
System.out.println("requesturi::::::"+requesturi);
httpServletResponse.sendRedirect(requesturi);
System.out.println("noentered.");
// filterchain.doFilter(newRequestWrapper((HttpServletRequest)servletrequest),servletresponse);
return;
}
}
filterchain.doFilter(servletrequest,servletresponse);
}else{
//对请求中的所有东西都做校验,包括表单。此功能校验比较严格容易屏蔽表单正常输入,使用此功能请注意。
filterchain.doFilter(newRequestWrapper((HttpServletRequest)servletrequest),servletresponse);
}
}
requestMapping:
publicRequestWrapper(){
super(null);
}
publicRequestWrapper(HttpServletRequesthttpservletrequest){
super(httpservletrequest);
}
publicString[]getParameterValues(Strings){
Stringstr[]=super.getParameterValues(s);
if(str==null){
returnnull;
}
inti=str.length;
Stringas1[]=newString[i];
for(intj=0;j<i;j++){
as1[j]=cleanXSS(cleanSQLInject(str[j]));
}
returnas1;
}
publicStringgetParameter(Strings){
Strings1=super.getParameter(s);
if(s1==null){
returnnull;
}else{
returncleanXSS(cleanSQLInject(s1));
}
}
publicStringgetHeader(Strings){
Strings1=super.getHeader(s);
if(s1==null){
returnnull;
}else{
returncleanXSS(cleanSQLInject(s1));
}
}
publicStringcleanXSS(Stringsrc){
Stringtemp=src;
System.out.println("xss---temp-->"+src);
src=src.replaceAll("<","<").replaceAll(">",">");
//if(src.indexOf("address")==-1)
// {
src=src.replaceAll("\\(","(").replaceAll("\\)",")");
//}
src=src.replaceAll("'","'");
Patternpattern=Pattern.compile("(eval\\((.*)\\)|script)",Pattern.CASE_INSENSITIVE);
Matchermatcher=pattern.matcher(src);
src=matcher.replaceAll("");
pattern=Pattern.compile("[\\\"\\'][\\s]*javascript:(.*)[\\\"\\']",Pattern.CASE_INSENSITIVE);
matcher=pattern.matcher(src);
src=matcher.replaceAll("\"\"");
//增加脚本
src=src.replaceAll("script","").replaceAll(";","")
.replaceAll("\"","").replaceAll("@","")
.replaceAll("0x0d","")
.replaceAll("0x0a","").replaceAll(",","");
if(!temp.equals(src)){
System.out.println("输入信息存在xss攻击!");
System.out.println("原始输入信息-->"+temp);
System.out.println("处理后信息-->"+src);
}
returnsrc;
}
//需要增加通配,过滤大小写组合
publicStringcleanSQLInject(Stringsrc){
Stringtemp=src;
src=src.replaceAll("insert","forbidI")
.replaceAll("select","forbidS")
.replaceAll("update","forbidU")
.replaceAll("delete","forbidD")
.replaceAll("and","forbidA")
.replaceAll("or","forbidO");
if(!temp.equals(src)){
System.out.println("输入信息存在SQL攻击!");
System.out.println("原始输入信息-->"+temp);
System.out.println("处理后信息-->"+src);
}
returnsrc;
}
xml配置:
<filter> <filter-name>XssFilter</filter-name> <filter-class>cn.com.jsoft.xss.XSSFilter</filter-class> <init-param> <param-name>encoding</param-name> <param-value>UTF-8</param-value> </init-param> </filter> <filter-mapping> <filter-name>XssFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
以上代码仅仅将特殊的sql字符,特殊script脚本字符处理掉,具体的页面处理还需要后台处理!!
关于这篇java过滤器filter防sql注入的实现代码就是小编分享给大家的全部内容了,希望能给大家一个参考,也希望大家多多支持毛票票。