package sql_injection.lz;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import org.apache.commons.lang.StringEscapeUtils;
/**
* http://blog.csdn.net/nio96/article/details/50925455
*
*
* commons-lang-2.5.jar
* org.apache.commons.lang.StringEscapeUtils;
*
*
* 1: SQL 本身关键词
* 2:数据库用户、权限
------------------------------------------------------------
web.xml
<filter>
<filter-name>XssSqlFilter</filter-name>
<filter-class>sql_injection.lz.XssFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>XssSqlFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
------------------------------------------------------------
*
* @author ZengWenFeng
*/
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper
{
public XssHttpServletRequestWrapper(HttpServletRequest servletRequest)
{
super(servletRequest);
}
public String[] getParameterValues(String parameter)
{
String[] values = super.getParameterValues(parameter);
if (values == null)
{
return null;
}
int count = values.length;
String[] encodedValues = new String[count];
for (int i = 0; i < count; i++)
{
encodedValues[i] = cleanXSS(values[i]);
}
return encodedValues;
}
public String getParameter(String parameter)
{
String value = super.getParameter(parameter);
if (value == null)
{
return null;
}
return cleanXSS(value);
}
public String getHeader(String name)
{
String value = super.getHeader(name);
if (value == null)
return null;
return cleanXSS(value);
}
private String cleanXSS(String value)
{
//You'll need to remove the spaces from the html entities below
value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");
value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");
value = value.replaceAll("'", "& #39;");
value = value.replaceAll("eval\\((.*)\\)", "");
value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
value = value.replaceAll("script", "");
return value;
}
/**
* commons-lang-2.5.jar
*
* @param value
* @return
*/
public String cleanSQL(String value)
{
return StringEscapeUtils.escapeSql(value);
}
}
package sql_injection.lz;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
/**
* XssHttpServletRequestWrapper.java
*
* @author ZengWenFeng
*/
public class XssFilter implements Filter
{
FilterConfig filterConfig = null;
public void init(FilterConfig filterConfig) throws ServletException
{
this.filterConfig = filterConfig;
}
public void destroy()
{
this.filterConfig = null;
}
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException
{
chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request), response);
}
}
package sql_injection;
import java.util.Enumeration;
import java.util.Map;
import java.util.Vector;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
public class ParameterRequestWrapper extends HttpServletRequestWrapper
{
private Map params;
private HttpServletRequest request;
public ParameterRequestWrapper(HttpServletRequest request, Map newParams)
{
super(request);
this.params = newParams;
this.request = request;
}
public HttpServletRequest getSuperRequest()
{
return this.request;
}
public Map getParameterMap()
{
return params;
}
public Enumeration getParameterNames()
{
Vector l = new Vector(params.keySet());
return l.elements();
}
public String[] getParameterValues(String name)
{
Object v = params.get(name);
if (v == null)
{
return super.getParameterValues(name);
}
else if (v instanceof String[])
{
return (String[]) v;
}
else if (v instanceof String)
{
return new String[]{(String) v};
}
else
{
return new String[]{v.toString()};
}
}
public String getParameter(String name)
{
Object v = params.get(name);
if (v == null)
{
return super.getParameter(name);
}
else if (v instanceof String[])
{
String[] strArr = (String[]) v;
if (strArr.length > 0)
{
return strArr[0];
}
else
{
return null;
}
}
else if (v instanceof String)
{
return (String) v;
}
else
{
return v.toString();
}
}
}