public class SecurityCommLocalUtil {
// 防范跨站脚本攻击应该检查以下特殊字符
public static String checkHtmlEncode(String sText) {
if (null == sText || sText.length() < 1)
return "";
sText = sText.replaceAll("&", "&");
sText = sText.replaceAll("#", "#");
sText = sText.replaceAll("’", ""e;");
sText = sText.replaceAll("\"", ""e;");
sText = sText.replaceAll("<", "<");
sText = sText.replaceAll(">", ">");
return sText;
}
/**
* 根据传入参数进行SQL注入处理
*
* @param param
* 需要过滤的字符串
* @return 字符串
*/
public static String checkSQLImmit(String param) {
if (null != param && param.length() > 0) {
String[] checkstrLower = new String[] { "select ", "and ", "or ",
"update ", "delete ", "insert ", " sysibm", ";", " dual",
" declare", "/*", " systables", "length ", " substr", "'", "<",
">", "`" };
String[] checkstrUpper = new String[] { "SELECT ", "AND ", "OR ",
"UPDATE ", "DELETE ", "INSERT ", " SYSIBM", ";", " DUAL",
" DECLARE", "/*", " SYSTABLES", "LENGTH ", " SUBSTR", "'", "<",
">", "`" };
for (String check : checkstrLower) {
if (param.indexOf(check) != -1) {
Pattern p = Pattern
.compile(check, Pattern.CASE_INSENSITIVE);
param = p.matcher(param).replaceAll(" ");
}
}
for (String check : checkstrUpper) {
if (param.indexOf(check) != -1) {
Pattern p = Pattern
.compile(check, Pattern.CASE_INSENSITIVE);
param = p.matcher(param).replaceAll(" ");
}
}
}
return param;
}
}
在jsp页面中用该方法包裹request.getAttribute()