- 开发web的过程中,需要防范sql注入,或是javascript代码注入,以下通过过滤器(filter)实现的,只实现了tomcat和weblogic下,其它应用服务器可以参照实现即可。
非常简单只需三个步骤:
第一步,在你的工程加入如下所示的过滤器代码,一共两个类: CharFilter.java
package com.hyjx.filter; import java.io.IOException; import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; import java.util.Enumeration; import java.util.HashMap; import java.util.Iterator; import java.util.Map; import java.util.Set; import java.util.Map.Entry; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.RequestDispatcher; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.log4j.Logger; /** * @author jfish * @since 2006.1.12 */ public class CharFilter implements Filter { public FilterConfig config; public void setFilterConfig(FilterConfig config) { this.config = config; } public FilterConfig getFilterConfig() { return config; } public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest) request; HttpServletResponse res = (HttpServletResponse) response; boolean filter = true;// 是否过滤; String excludeURL;// 不过滤的url地址 excludeURL = config.getInitParameter("excludeURL"); if (excludeURL == null || "".equals(excludeURL)) { filter = true; } else { String url = req.getRequestURI();// url地址 String[] excludeURLA = excludeURL.split(","); for (int i = 0; i < excludeURLA.length; i++) { if (url.indexOf(excludeURLA[i]) > 0) {// 如果含有不让过滤的url地址则不过滤。 filter = false; } } } //得到应用服务器类型 String appServer = config.getInitParameter("appServer"); if(filter)//需要过滤 { if("tomcat".equals(appServer))//应用服务器为tomcat时则: { if(checkTomcat(req,res)) { String webapp = req.getContextPath(); res.sendRedirect(webapp + "/charError/charError.html"); } else { chain.doFilter(request, response); } } else//应用服务器为weblogic时则: { Map m = req.getParameterMap(); if(req instanceof ParameterRequestWrapper) { m = ((ParameterRequestWrapper)req).getSuperRequest().getParameterMap(); req = ((ParameterRequestWrapper)req).getSuperRequest(); } //System.out.println(((String[])m.get("op"))[0] + "-----------" + req.getParameter("op")); ParameterRequestWrapper wrapRequest=new ParameterRequestWrapper(req, m); if(checkWeblogic(wrapRequest, res)) { String webapp = req.getContextPath(); res.sendRedirect(webapp + "/charError/charError.html"); } else { chain.doFilter(wrapRequest, response); } } } else//不需要过滤 { chain.doFilter(request, response); } } public boolean checkWeblogic(HttpServletRequest req, HttpServletResponse response) { Map map = req.getParameterMap(); Set set = map.entrySet(); //request中的参数设置 boolean bl = false; if (map != null) { for (Iterator it = set.iterator(); it.hasNext();) { Map.Entry entry = (Entry) it.next(); if (entry.getValue() instanceof String[]) { String[] values = (String[]) entry.getValue(); for (int i = 0; i < values.length; i++) { //替换成全角字符。 values[i] = getQjString(values[i]); //是否包含有特殊字符 if (getCheckString(values[i])) { return true; } } } } } //cookie过滤:除了JSESSIONID以外的cookie进行过滤 Cookie[] cookies = req.getCookies(); String cookieName = ""; String cookieValue=""; if(cookies!=null) { for (int i = 0; i < cookies.length; i++) { Cookie c = cookies[i]; cookieName = c.getName(); //System.out.println("=======cookie:"+cookieName); if(cookieName!= null && !"JSESSIONID".equals(cookieName.toUpperCase())) { cookieValue = c.getValue(); if (getCheckString(cookieValue)) { return true; } //进行特殊字符替换 cookieValue = getQjString(cookieValue); c.setValue(cookieValue); response.addCookie(c) ; } } } return bl; } public boolean checkTomcat(HttpServletRequest req, HttpServletResponse response) { Map map = req.getParameterMap(); //运用反射机制,让其可修改。 try { Method method=map.getClass().getMethod("setLocked",new Class[]{boolean.class}); method.invoke(map,new Object[]{new Boolean(false)}); } catch(Exception e) { e.printStackTrace(); } Set set = map.entrySet(); boolean bl = false; if (map != null) { for (Iterator it = set.iterator(); it.hasNext();) { Map.Entry entry = (Entry) it.next(); if (entry.getValue() instanceof String[]) { String[] values = (String[]) entry.getValue(); for (int i = 0; i < values.length; i++) { //替换成全角字符。 values[i] = getQjString(values[i]); //是否包含有特殊字符 if (getCheckString(values[i])) { return true; } } } } } //cookie过滤:除了JSESSIONID以外的cookie进行过滤 Cookie[] cookies = req.getCookies(); String cookieName = ""; String cookieValue=""; if(cookies!=null) { for (int i = 0; i < cookies.length; i++) { Cookie c = cookies[i]; cookieName = c.getName(); //System.out.println("=======cookie:"+cookieName); if(!"JSESSIONID".equals(cookieName)) { cookieValue = c.getValue(); if (getCheckString(cookieValue)) { return true; } //进行特殊字符替换 cookieValue = getQjString(cookieValue); c.setValue(cookieValue); response.addCookie(c) ; } } } return bl; } //特殊符号替换成全角. /* 单引号' 双引号" 小于号< 大于号> 分号; 等号= 注释符-- 尖括号<> 百分比% 括号() 与符号& 加号+ */ public String getQjString(String parameter) { if (parameter == null || "".equals(parameter)) { return ""; } parameter = parameter.replaceAll("'","‘");// 单引号 parameter = parameter.replaceAll("--","--");//注释符 parameter = parameter.replaceAll("=","=");//等号 parameter = parameter.replaceAll("\"","“");//双引号 parameter = parameter.replaceAll("<","《");//小于号 parameter = parameter.replaceAll(">","》");//大于号 parameter = parameter.replaceAll(";",";");//分号 parameter = parameter.replaceAll("<>","《》");//尖括号 parameter = parameter.replaceAll("%","%");//百分比 //parameter = parameter.replaceAll("()","()");//括号 //parameter = parameter.replaceAll("(","(");//前括号 //parameter = parameter.replaceAll(")",")");//后括号 parameter = parameter.replaceAll("&"," ");//与符号 //parameter = parameter.replaceAll("+","+");// 加号 return parameter; } // 检查字符串是否有特殊字符 public boolean getCheckString(String parameter) { if (parameter == null || "".equals(parameter)) { return false; } // if (parameter.indexOf("'") >= 0){// 单引号 // return true; // } // if (parameter.indexOf("--") >= 0){// // return true; // } // if (parameter.indexOf("=") >= 0){// // return true; // } // if (parameter.indexOf("\"") >= 0){// 双引号 // return true; // } // if (parameter.indexOf("<") >= 0){// 小于号 // return true; // } // if (parameter.indexOf(">") >= 0){// 大于号 // return true; // } // if (parameter.indexOf(";") >= 0){// 分号 // return true; // } parameter = parameter.toLowerCase(); if (parameter.indexOf("script") >= 0){// 有javascript代码 parameter.replaceAll(" ", ""); if (parameter.indexOf("script") >= 0)return true; } return false; } public void destroy() { this.config = null; } public void init(FilterConfig filterConfig) throws ServletException { this.config = filterConfig; } public String toParamenterString(Object obj) { if (obj == null) return "NULL"; if (obj instanceof String[]) { StringBuffer sb = new StringBuffer(); String[] values = (String[]) obj; for (int i = 0; i < values.length; i++) { sb.append(values[i] + ","); } return sb.toString(); } if (obj instanceof String) { return obj.toString(); } return obj.toString(); } public void printHttpHeader(HttpServletRequest request) { Enumeration e = request.getHeaderNames(); if (e != null) { System.out.println("\n\n\n开始打印HTTP头信息"); while (e.hasMoreElements()) { String name = (String) e.nextElement(); String value = request.getHeader(name); System.out.println(name + "=" + value); } System.out.println("打印完毕\n\n\n"); } } // Map map = req.getParameterMap(); // Set set = map.entrySet(); // System.out.println("\n\n\n\n开始打印参数列表:"); // for (Iterator it = set.iterator(); it.hasNext();) { // Map.Entry entry = (Entry) it.next(); // System.out.println(entry.getKey() + "=" // + toParamenterString(entry.getValue())); // } // System.out.println("参数列表打印完毕\n\n\n\n"); }
ParameterRequestWrapper.java
package com.hyjx.filter; import java.util.Enumeration; import java.util.Map; import java.util.Vector; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; public class ParameterRequestWrapper extends HttpServletRequestWrapper { private Map params; private HttpServletRequest request ; public ParameterRequestWrapper(HttpServletRequest request, Map newParams) { super(request); this.params = newParams; this.request = request; } public HttpServletRequest getSuperRequest(){ return this.request; } public Map getParameterMap() { return params; } public Enumeration getParameterNames() { Vector l = new Vector(params.keySet()); return l.elements(); } public String[] getParameterValues(String name) { Object v = params.get(name); if (v == null) { return super.getParameterValues(name); } else if (v instanceof String[]) { return (String[]) v; } else if (v instanceof String) { return new String[] { (String) v }; } else { return new String[] { v.toString() }; } } public String getParameter(String name) { Object v = params.get(name); /* if("op".equals(name)) { return super.getParameter(name); } */ //System.out.println("11111111111111111111111111111111"+super.getParameter(name)); if (v == null) { return super.getParameter(name); } else if (v instanceof String[]) { String[] strArr = (String[]) v; if (strArr.length > 0) { return strArr[0]; } else { return null; } } else if (v instanceof String) { return (String) v; } else { return v.toString(); } } }
第二步:在你工程的web.xml中加入如下代码:
<filter> <filter-name>CharFilter</filter-name> <filter-class>com.hangyjx.filter.CharFilter</filter-class> <init-param> <param-name>excludeURL</param-name> <param-value>columncontentAction!insert.dhtml,columncontentAction!update.dhtml</param-value> </init-param> <init-param> <param-name>appServer</param-name> <param-value>weblogic</param-value> </init-param> </filter>
第三步:写一个错误提示页面。
就是第一个类中的/charError/charError.html
j2ee中防止sql注入实现
最新推荐文章于 2020-06-09 14:14:17 发布