package com.tgisserver.cloud.jpamanager.common.filter;
import java.io.IOException;
import java.util.Enumeration;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;
import org.springframework.context.annotation.Configuration;
/**
-
@author zzj
-
@date 2022年05月23日 14:39
-
des 防止SQL注入过滤器,如果正则匹配结果是false则返回异常信息
/
@WebFilter(urlPatterns = "/“, filterName = “sqlFilter”)
@Configuration
public class SqlFilter implements Filter {
private static final Pattern PATTERN = Pattern.compile(”\b(\sand\s|\sexec\s|\sinsert\s|\sselect\s|\sdrop\s|\sgrant\s|\salter\s|\s*" +
“delete\s*|\supdate\s|\scount\s|\schr\s|\smid\s|\smaster\s|\struncate\s|\schar\s|\sdeclare\s|\sor\s)\b|(\*|;|\+)”);@Override
public void init(FilterConfig filterConfig) throws ServletException {}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
throws IOException, ServletException {
ServletRequest request = servletRequest;
ServletResponse response = servletResponse;
// 获得所有请求参数名
Enumeration names = request.getParameterNames();
String sql = “”;
while (names.hasMoreElements()) {
// 得到参数名
String name = names.nextElement().toString();
// 得到参数对应值
String[] values = request.getParameterValues(name);
for (int i = 0; i < values.length; i++) {
sql += values[i];
}
}
if (sqlValidate(sql)) {
throw new IOException(“您发送请求中的参数中含有非法字符”);
} else {
filterChain.doFilter(request, response);
}
}// 效验
protected static boolean sqlValidate(String str) {
String s = str.toLowerCase();// 统一转为小写// 使用正则表达式进行匹配 Matcher matcher = PATTERN.matcher(s); return matcher.find();
}
@Override
public void destroy() {}
}