一直以来服务器没有被攻击过,前一段时间忽然发现数据库中多了很多垃圾数据,很明显是被sql注入的行为,看来是时候要认真起来了。
首先,什么是sql注入,度娘一下一大堆,官方语言我就不多说了,说说我自己的理解吧。
sql注入就是通过url或者post提交数据时候,字符串类型的参数会被别人利用传入sql语句,最终破坏数据库或者达到一些见不得人的目的。
有时候因为业务需要url中会带一些参数,比如 ?type=xxx 一些人就会把type写成sql语句
比如:?type=' or 1=1-- 最终拼接成的sql语句就变成了:select * from table where disabled=0 and type='' or 1=1 -- and id=1 如此一来 -- 后面的条件就会被屏蔽,结果就成了 1=1 也就是查询这张表所有数据。
这还算是最温柔的,更有甚者,把输入的参数变成update delete drop 不就麻烦大了。
下面说一下最简单、直接、有效的方式吧:
1.写检测类:
import java.io.OutputStream;
import java.io.UnsupportedEncodingException;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import net.sf.json.JSONObject;
/**
* 包装 Request 对象,过滤参数值中的XML字符
*/
@SuppressWarnings("unchecked")
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
private static final String[] EMPTY_STRING_ARRAY = new String[] {};
private Map params;
private HttpServletRequest request;
private HttpServletResponse response;
public XssHttpServletRequestWrapper(HttpServletRequest request,
HttpServletResponse response) {
super(request);
this.request = request;
this.response = response;
params = new HashMap();
Map rm = request.getParameterMap();
Iterator iterator = rm.entrySet().iterator();
while (iterator.hasNext()) {
Map.Entry entry = (Map.Entry) iterator.next();
Object key = entry.getKey();
String[] value = (String[]) entry.getValue();
if (value != null && value.length > 0) {
String[] newValue = new String[value.length];
for (int i = 0, m = value.length; i < m; i++) {
newValue[i] = Utility.escapeXml(value[i]);
}
params.put(
Utility.escapeXml(key == null ? "" : key.toString()),
newValue);
} else
params.put(Utility.escapeXml(key.toString()),
EMPTY_STRING_ARRAY);
}
}
// 效验
protected static boolean sqlValidate(String str) {
str = str.toLowerCase();// 统一转为小写
str.replaceAll("--", "——");
str.replaceAll("'", "’");
String badStr = "'|or |exec|execute|insert|select|delete|update|master|truncate|javascript|count(*)|"
+ "declare|create|" + "grant|script|iframe" + "|--";// 过滤掉的sql关键字,可以手动添加
String[] badStrs = badStr.split("\\|");
for (int i = 0; i < badStrs.length; i++) {
if (str.indexOf(badStrs[i].toLowerCase()) >= 0) {
return true;
}
}
return false;
}
@Override
public String getParameter(String name) {
String[] value = (String[]) params.get(name);
if (value != null)
if (value.length > 0)
return value[0];
else
return "";
else
return null;
}
@Override
public Map getParameterMap() {
return params;
}
@Override
public String[] getParameterValues(String name) {
return (String[]) params.get(name);
}
public boolean isOk() {
// 对所有请求参数的name和value做字符编码并缓存
Map rm = request.getParameterMap();
Iterator iterator = rm.entrySet().iterator();
while (iterator.hasNext()) {
Map.Entry entry = (Map.Entry) iterator.next();
Object key = entry.getKey();
String[] value = (String[]) entry.getValue();
if (value != null && value.length > 0) {
String[] newValue = new String[value.length];
for (int i = 0, m = value.length; i < m; i++) {
newValue[i] = Utility.escapeXml(value[i]);
if (sqlValidate(value[i])) {
return false;
}
}
}
}
return true;
}
}
2.写一个过滤器,拦截请求,检查字符串类型的参数:
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
/**
* 包装 Request 对象,过滤参数值中的XML字符
*/
@SuppressWarnings("unchecked")
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
private static final String[] EMPTY_STRING_ARRAY = new String[] {};
private Map params;
private HttpServletRequest request;
private HttpServletResponse response;
public XssHttpServletRequestWrapper(HttpServletRequest request,
HttpServletResponse response) {
super(request);
this.request = request;
this.response = response;
params = new HashMap();
Map rm = request.getParameterMap();
Iterator iterator = rm.entrySet().iterator();
while (iterator.hasNext()) {
Map.Entry entry = (Map.Entry) iterator.next();
Object key = entry.getKey();
String[] value = (String[]) entry.getValue();
if (value != null && value.length > 0) {
String[] newValue = new String[value.length];
for (int i = 0, m = value.length; i < m; i++) {
newValue[i] = Utility.escapeXml(value[i]);
}
params.put(Utility.escapeXml(key==null?"":key.toString()), newValue);
} else
params.put(Utility.escapeXml(key.toString()),
EMPTY_STRING_ARRAY);
}
}
// 效验
protected static boolean sqlValidate(String str) {
str = str.toLowerCase();// 统一转为小写
str.replaceAll("--","——");
str.replaceAll("'","’");
String badStr = "'|or |exec|execute|insert|select|delete|update|master|truncate|javascript|count(*)|"
+ "declare|create|" + "grant|script|iframe" + "|--";// 过滤掉的sql关键字,可以手动添加
String[] badStrs = badStr.split("\\|");
for (int i = 0; i < badStrs.length; i++) {
if (str.indexOf(badStrs[i].toLowerCase()) >= 0) {
return true;
}
}
return false;
}
@Override
public String getParameter(String name) {
String[] value = (String[]) params.get(name);
if (value != null)
if (value.length > 0)
return value[0];
else
return "";
else
return null;
}
@Override
public Map getParameterMap() {
return params;
}
@Override
public String[] getParameterValues(String name) {
return (String[]) params.get(name);
}
public boolean isOk() {
// 对所有请求参数的name和value做字符编码并缓存
Map rm = request.getParameterMap();
Iterator iterator = rm.entrySet().iterator();
while (iterator.hasNext()) {
Map.Entry entry = (Map.Entry) iterator.next();
Object key = entry.getKey();
String[] value = (String[]) entry.getValue();
if (value != null && value.length > 0) {
String[] newValue = new String[value.length];
for (int i = 0, m = value.length; i < m; i++) {
newValue[i] = Utility.escapeXml(value[i]);
if (sqlValidate(value[i])) {
return false;
}
}
}
}
return true;
}
}
3.最后,web.xml中加入配置
Set Character Encoding
/*
XssFilter
com.xtwl.gsl2.filter.XssFilter
XssFilter
/*
有了以上过滤器就可以放心不少了,对的,是放心不少了,当然还有别的需要注意的,比如数据库用户一定不能用root或者sa。。服务器端验证必不可少。。不能直接拼装sql语句。。。等等。
总之,防止sql注入,还是得从养成良好的编程习惯开始。
--------------------------------------------------------------------------------------------------------------------------------------
用得着的童鞋可以点个赞,收藏一下。
有不明白的地方可以联系我QQ或者群里,有问必答,互帮互助
QQ群:530456619
QQ:707012377