参考 :
spring boot使用切面对HTTP传入的参数做防sql和非法字符串检测_Ripley的博客-CSDN博客_springboot校验参数是否包含sql注入
项目中配置防止sql注入(springboot)_cyq_java的博客-CSDN博客_springbootsql注入
import com.aliyun.et.industry.pangang.api.exception.PangangException;
import org.aspectj.lang.ProceedingJoinPoint;
import org.aspectj.lang.annotation.Around;
import org.aspectj.lang.annotation.Aspect;
import org.aspectj.lang.annotation.Pointcut;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Component;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import javax.servlet.http.HttpServletRequest;
@Component
@Aspect
public class PreventSQLAttack {
private static final Logger LOGGER = LoggerFactory.getLogger(PreventSQLAttack.class);
private static final String badStr = " update | and | or | delete | insert | trancate | char | into | substr | ascii | declare | exec | count | master | drop | execute |'|(|)";
private static final String[] badStrs = badStr.split("\\|");
private static final String REQUEST_PARAMETER_ILLEGAL = "请求参数非法";
/**
* 定义切入点:拦截controller层所有方法
*/
@Pointcut("execution(* cn.nordrassil.web.controller..*(..))")
public void other() {
}
/**
* 定义环绕通知
*
* @param joinPoint
* @throws Throwable
*/
@Around("other()")
public Object other(ProceedingJoinPoint joinPoint) throws Throwable {
try {
ServletRequestAttributes attributes = (ServletRequestAttributes) RequestContextHolder.getRequestAttributes();
HttpServletRequest request = attributes.getRequest();
Object[] args = joinPoint.getArgs();
for (Object arg : args) {
for (String str : badStrs) {
if (arg.toString().indexOf(str) != -1) {
LOGGER.error(REQUEST_PARAMETER_ILLEGAL + "接口路径: " + request.getRequestURL());
throw new RuntimeException(REQUEST_PARAMETER_ILLEGAL);
}
}
}
Object result = joinPoint.proceed();
return result;
} catch (PangangException e) {
throw new PangangException(e.getpangangResultCodeEnum());
} catch (Exception e) {
Object result = joinPoint.proceed();
return result;
}
}
}
END。