我们在开发系统的时候,总是要防止sql注入的,下面是我采用过滤器方式来阻止sql注入的,感觉效率很慢的,所以各位有好的方式请推荐。
过滤器代码:
package com.zbxsoft.uct.auth;
import java.io.IOException;
import java.util.Enumeration;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import com.zbxsoft.tools.LogUtil;
import com.zbxsoft.tools.StrUtil;
/**
* 防止sql攻击过滤器
* @author qmhao
* @version 1.2.3
*/
public class SqlFilter implements Filter {
static String[] splitSql = null;
static String errorPage = "/";
/**
* 初始化
*/
public void init(FilterConfig arg0) throws ServletException {
String ep = arg0.getInitParameter("errorPage");// 读配置文件
if (ep != null) {
errorPage = ep;
}
String sqlStr = arg0.getInitParameter("sqlStr");// 读配置文件
if (sqlStr != null) {
splitSql = sqlStr.split("\\|");
}
}
public void destroy() {
}
/**
* 执行过滤
*/
public void doFilter(ServletRequest srequest, ServletResponse sresponse,
FilterChain chain) throws ServletException, IOException {
HttpServletRequest request = (HttpServletRequest) srequest;
HttpServletResponse response = (HttpServletResponse) sresponse;
response.setCharacterEncoding("UTF-8");
if (splitSql != null && splitSql.length > 0) {
Enumeration enum1 = request.getParameterNames();
while (enum1.hasMoreElements()) {
String param = enum1.nextElement().toString();
String value = request.getParameter(param);
LogUtil.info("------sqlFilter: value="+value);
if (!isCorrectContent(value)) {
response.setContentType("text/html;charset=UTF-8");
response.getWriter().write("<script>alert('请求参数中含有非法字符!');</script>");
LogUtil.error(">>>>>>>>>>>>>>sql过滤未通过!!param:"+param+"value:"+value);
return ;
}
}
}
LogUtil.debug(">>>>>>>>>>>>>>sql过滤通过!!");
chain.doFilter(request, response);
}
/**
* 判断是否是安全值
* @param paraValue
* @return boolean true是安全的,false为不安排的
*/
public static synchronized boolean isCorrectContent(String paraValue) {
if (StrUtil.isNull(paraValue)) {
return true;
}
for (int i = 0; i < splitSql.length; i++) {
if (paraValue.toLowerCase().indexOf(splitSql[i]) != -1) {
// if (paraValue.toLowerCase().equals(splitSql[i])) {
return false;
}
}
return true;
}
}
web.xml配置
<!-- 安全过滤器:sql注入,敏感词 --> <filter> <filter-name>sqlFilter</filter-name> <filter-class>com.zbxsoft.uct.auth.SqlFilter</filter-class> <init-param> <param-name>sqlStr</param-name> <param-value>grant|exec|execute|insert|drop|select|delete|update|truncate|declare</param-value> </init-param> <init-param> <param-name>errorPage</param-name> <param-value>/common/error.jsp</param-value> </init-param> </filter>