SQL注入是比较常见的网络攻击方式之一,它不是利用操作系统的BUG来实现攻击,而是针对程序员编程时的疏忽,通过SQL语句,实现无帐号登录,甚至篡改数据库。
filter功能.它使用户可以改变一个 request和修改一个response. Filter 不是一个servlet,它不能产生一个response,它能够
在一个request到达servlet之前预处理request,也可以在离开 servlet时处理response.换种说法,filter其实是一个”servlet
chaining”(servlet 链). 所以用户发出的任何request都必然经过filter处理,我们就在filter处理用户request包含的敏感关
键字,然后replace掉或是让页面转到错误页来提示用户,这样就可以很好的防sql注入了。
java代码:ReqFilter.java
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
public class ReqFilter implements Filter {
public void init(FilterConfig config) throws ServletException {
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
ReqHttpServletRequestWrapper reqRequest = new ReqHttpServletRequestWrapper(
(HttpServletRequest) request);
chain.doFilter(reqRequest, response);
}
public void destroy() {
}
}
java代码:ReqHttpServletRequestWrapper.java
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
public class ReqHttpServletRequestWrapper extends HttpServletRequestWrapper {
HttpServletRequest orgRequest = null;
public ReqHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
orgRequest = request;
}
@Override
public String getParameter(String name) {
String value = super.getParameter(name);
if (value != null) {
value = reqEncode(value);
}
return value;
}
private static String reqEncode(String s) {
if (s == null || "".equals(s)) {
return s;
}
StringBuilder sb = new StringBuilder(s.length() + 16);
for (int i = 0; i < s.length(); i++) {
char c = s.charAt(i);
switch (c) {
case '\'':
sb.append("′");// ´");
break;
case '′':
sb.append("′");// ´");
break;
case '\"':
sb.append(""");
break;
case '"':
sb.append(""");
break;
case '&':
sb.append("&");
break;
case '#':
sb.append("#");
break;
case '\\':
sb.append('¥');
break;
case '>':
sb.append('>');
break;
case '<':
sb.append('<');
break;
default:
sb.append(c);
break;
}
}
return sb.toString();
}
public HttpServletRequest getOrgRequest() {
return orgRequest;
}
public static HttpServletRequest getOrgRequest(HttpServletRequest req) {
if (req instanceof ReqHttpServletRequestWrapper) {
return ((ReqHttpServletRequestWrapper) req).getOrgRequest();
}
return req;
}
}
filter功能.它使用户可以改变一个 request和修改一个response. Filter 不是一个servlet,它不能产生一个response,它能够
在一个request到达servlet之前预处理request,也可以在离开 servlet时处理response.换种说法,filter其实是一个”servlet
chaining”(servlet 链). 所以用户发出的任何request都必然经过filter处理,我们就在filter处理用户request包含的敏感关
键字,然后replace掉或是让页面转到错误页来提示用户,这样就可以很好的防sql注入了。
java代码:ReqFilter.java
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
public class ReqFilter implements Filter {
public void init(FilterConfig config) throws ServletException {
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
ReqHttpServletRequestWrapper reqRequest = new ReqHttpServletRequestWrapper(
(HttpServletRequest) request);
chain.doFilter(reqRequest, response);
}
public void destroy() {
}
}
java代码:ReqHttpServletRequestWrapper.java
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
public class ReqHttpServletRequestWrapper extends HttpServletRequestWrapper {
HttpServletRequest orgRequest = null;
public ReqHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
orgRequest = request;
}
@Override
public String getParameter(String name) {
String value = super.getParameter(name);
if (value != null) {
value = reqEncode(value);
}
return value;
}
private static String reqEncode(String s) {
if (s == null || "".equals(s)) {
return s;
}
StringBuilder sb = new StringBuilder(s.length() + 16);
for (int i = 0; i < s.length(); i++) {
char c = s.charAt(i);
switch (c) {
case '\'':
sb.append("′");// ´");
break;
case '′':
sb.append("′");// ´");
break;
case '\"':
sb.append(""");
break;
case '"':
sb.append(""");
break;
case '&':
sb.append("&");
break;
case '#':
sb.append("#");
break;
case '\\':
sb.append('¥');
break;
case '>':
sb.append('>');
break;
case '<':
sb.append('<');
break;
default:
sb.append(c);
break;
}
}
return sb.toString();
}
public HttpServletRequest getOrgRequest() {
return orgRequest;
}
public static HttpServletRequest getOrgRequest(HttpServletRequest req) {
if (req instanceof ReqHttpServletRequestWrapper) {
return ((ReqHttpServletRequestWrapper) req).getOrgRequest();
}
return req;
}
}