web.xml的代码:
<!-- 防止sql注入的拦截器-->
<filter>
<filter-name>sqlInjectionFilter</filter-name>
<filter-class>com.suning.mcms.web.auth.filter.SqlInjectionFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>sqlInjectionFilter</filter-name>
<url-pattern>*.do</url-pattern>
</filter-mapping>
拦截器的代码:
package com.suning.mcms.web.auth.filter;
import java.io.IOException;
import java.util.Enumeration;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.context.support.WebApplicationContextUtils;
import org.springframework.web.context.support.XmlWebApplicationContext;
import com.suning.mcms.web.auth.util.RedirectUtils;
import com.suning.zbl.SqlInjectionEntity;
import com.suning.zbl.injection.service.SqlInjectionService;
public class SqlInjectionFilter implements Filter{
@Autowired
private SqlInjectionService sqlInjectionService;
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse,
FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) servletResponse;
HttpSession session = request.getSession(false);
HttpServletRequest req = (HttpServletRequest)request;
HttpServletResponse resp = (HttpServletResponse)response;
ServletContext sc = req.getSession().getServletContext();
XmlWebApplicationContext cxt = (XmlWebApplicationContext)WebApplicationContextUtils.getWebApplicationContext(sc);
if(cxt != null && cxt.getBean("sqlInjectionService") != null && sqlInjectionService == null)
sqlInjectionService = (SqlInjectionService) cxt.getBean("sqlInjectionService");
SqlInjectionEntity sqlInjectionEntity = new SqlInjectionEntity();
sqlInjectionEntity.setKey("sqlInjection");
SqlInjectionEntity result = sqlInjectionService.getSqlInjectionEntity(sqlInjectionEntity);
if(result!=null){
String currentURL = request.getRequestURI();
String badStr = result.getValue();
if(badStr!=null&&!badStr.trim().equals("")){
if(!currentURL.equals("/mcms-portal/j_security_check.do")){
Enumeration em = request.getParameterNames();
while (em.hasMoreElements()) {
String name = (String) em.nextElement();
String value = request.getParameter(name);
Pattern pattern = Pattern.compile(badStr);
Matcher matcher = pattern.matcher(value.toLowerCase());
boolean matches = matcher.matches();
if(matches&&!value.trim().equals("")){
sendRedirect(request, response, "/capital/allocation/sqlInjection.do");
return;
}
}
}else{
Enumeration em = request.getParameterNames();
while (em.hasMoreElements()) {
String name = (String) em.nextElement();
String value = request.getParameter(name);
Pattern pattern = Pattern.compile(badStr);
Matcher matcher = pattern.matcher(value.toLowerCase());
boolean matches = matcher.matches();
if(matches&&!value.trim().equals("")){
sendRedirect(request, response, "/index.do");
return;
}
}
}
}
}
filterChain.doFilter(request, response);
}
protected void sendRedirect(HttpServletRequest request, HttpServletResponse response, String url)
throws IOException {
RedirectUtils.sendRedirect(request, response, url, false);
}
@Override
public void destroy() {
}
}
校验规则:
INSERT INTO SYS_DIC_PARAM( PARAM_KEY, PARAM_VALUE)
VALUES( 'sqlInjection', '''|and|exec|execute|insert|select|delete|update|count|drop|\\*|%|chr|mid|master|truncate|char|declare|sitename|net user|xp_cmdshell|;|or|-|\\+|,|like''|and|exec|execute|insert|create|drop|table|from|grant|use|group_concat|column_name|information_schema.columns|table_schema|union|where|select|delete|update|order|by|count|\\*|chr|mid|master|truncate|char|declare|or|;|-|--|\\+|,|like|//|/|%|#')
'|and|exec|execute|insert|select|delete|update|count|drop|\\*|%|chr|mid|master|truncate|char|declare|sitename|net user|xp_cmdshell|;|or|-|\\+|,|like'|and|exec|execute|insert|create|drop|table|from|grant|use|group_concat|column_name|information_schema.columns|table_schema|union|where|select|delete|update|order|by|count|\\*|chr|mid|master|truncate|char|declare|or|;|-|--|\\+|,|like|//|/|%|#
Filter 也称之为过滤器,它是Servlet2.3以上新增加的一个功能,其技术是非常强大的。通过Filter技术可以对WEB服务器的文件进行拦截过滤,从而实现一些特殊的功能。在JSP开发应用中也是必备的技能之一。
Filter可以改变一个request(请求)和修改一个response(响应