1.编写一个过滤器处理转义字符,防止SQL注入
package com.xinrui.flower.filter;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
/**
*
* 创建时间:2016年2月23日 下午1:34:04
* 项目名称:Flower
* @author 梁志成
* @version 1.0
* @since JDK 1.8.0_21
* 文件名称:XssFilter.java
* 类说明:Xss跨脚本攻击过滤器
*/
public class XssFilter implements Filter {
@Override
public void destroy() {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
chain.doFilter(request, response);
}
@Override
public void init(FilterConfig arg0) throws ServletException {
}
}
package com.xinrui.flower.filter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
/**
*
* 创建时间:2016年3月1日 下午5:51:06
* 项目名称:Flower
* @author 梁志成
* @version 1.0
* @since JDK 1.8.0_21
* 文件名称:XssHttpServletRequestWraper.java
* 类说明:处理转义字符,防止SQL注入
*/
public class XssHttpServletRequestWraper extends HttpServletRequestWrapper {
public XssHttpServletRequestWraper(HttpServletRequest request) {
super(request);
}
@Override
public String getParameter(String name) {
return clearXss(super.getParameter(name));
}
@Override
public String getHeader(String name) {
return clearXss(super.getHeader(name));
}
@Override
public String[] getParameterValues(String name) {
// 处理路径中的转义字符
String[] values = super.getParameterValues(name);
String[] newValues = new String[values.length];
for (int i = 0; i < values.length; i++) {
newValues[i] = clearXss(values[i]);
}
return newValues;
}
// 清除路径中的转义字符
public String clearXss(String value) {
if (value == null || "".equals(value)) {
return value;
}
value = value.replaceAll("<", "<").replaceAll(">", ">");
value = value.replaceAll("\\(", "(").replace("\\)", ")");
value = value.replaceAll("'", "'");
value = value.replaceAll("eval\\((.*)\\)", "");
value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']",
"\"\"");
value = value.replace("script", "");
return value;
}
}
2.在web.xml中注册该过滤器
<!-- 配置防SQL注入过滤器 -->
<filter>
<filter-name>XssFilter</filter-name>
<filter-class>com.xinrui.flower.filter.XssFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>XssFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>