若依框架增加SQL防注入处理,SpringBoot项目可用
思路:增加Filter对请求中的请求参数进行过滤进行处理,如果不成功响应失败
增加Filter
- 代码如下
package com.unicom.tsm.framework.filter;
import com.unicom.tsm.common.exception.BusinessException;
import org.springframework.context.annotation.Configuration;
import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import java.io.IOException;
import java.util.Enumeration;
import java.util.Locale;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
/**
* @Author Lxy
* @Description
* WebFilter中的"/*"表示拦截所有的请求
*/
@WebFilter(urlPatterns = "/*",filterName = "sqlFilter")
@Configuration
public class SqlFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
ServletRequest request = servletRequest;
ServletResponse response = servletResponse;
// 从request中获取当前请求中所有的参数名称
Enumeration<String> names = request.getParameterNames();
String sql = "";
while (names.hasMoreElements()) {
// 从name中取出所有的参数名称
String name = names.nextElement().toString();
// 根据参数名称获取所有的参数对应的值
String[] values = request.getParameterValues(name);
for (int i = 0; i < values.length; i++) {
sql += values[i];
}
}
if (sqlValidate(sql)) {
// 拦截后的处理可以直接响应
HttpServletResponse resp = (HttpServletResponse) response ;
resp.setStatus(500);
ServletOutputStream outputStream = resp.getOutputStream();
outputStream.write(new String("非法请求".getBytes(),"utf-8").getBytes());
outputStream.flush();
} else {
filterChain.doFilter(request, response);
}
}
//效验
protected static boolean sqlValidate(String str){
String badStr =
"(?:')|(?:--)|(/\\*(?:.|[\\n\\r])*?\\*/)|"
+ "(\\b(select|update|and|or|delete|insert|trancate|char|into|substr|ascii|declare|exec|count|master|into|drop|execute|\\>|\\<)\\b)";
Pattern compile = Pattern.compile(badStr, Pattern.CASE_INSENSITIVE);
Matcher matcher = compile.matcher(str);
//使用正则表达式进行匹配
return matcher.find();
}
@Override
public void destroy() {
}
}
添加完成后重启项目然后测试一下SQL注入的问题试试呢。自测没问题