import java.io.IOException;
import java.util.Iterator;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
* 通过Filter过滤器来防SQL注入攻击
*
*/
public class SQLFilter implements Filter {
private String inj_str = "'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare|; |or|-|+|,";
protected FilterConfig filterConfig = null;
/**
* Should a character encoding specified by the client be ignored?
*/
protected boolean ignore = true;
public void init(FilterConfig config) throws ServletException {
this.filterConfig = config;
this.inj_str = filterConfig.getInitParameter("keywords");
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest)request;
HttpServletResponse res = (HttpServletResponse)response;
Iterator values = req.getParameterMap().values().iterator();//获取所有的表单参数
while(values.hasNext()){
String[] value = (String[])values.next();
for(int i = 0;i < value.length;i++){
if(sql_inj(value[i])){
//TODO这里发现sql注入代码的业务逻辑代码
return;
}
}
}
chain.doFilter(request, response);
}
public boolean sql_inj(String str)
{
String[] inj_stra=inj_str.split("\\|");
for (int i=0 ; i < inj_stra.length ; i++ )
{
if (str.indexOf(" "+inj_stra[i]+" ")>=0)
{
return true;
}
}
return false;
}
}
防止sql注入过滤器
最新推荐文章于 2024-05-23 14:50:28 发布