1- 配置web.xml,增加过滤器配置
<filter>
<filter-name>PreventSqlInject</filter-name>
<filter-class>SqlInjectFilter</filter-class>
<!--split with blank -->
<init-param>
<param-name>sensitive-words</param-name>
<param-value>select insert delete from update create destory drop alter and or like exec count chr mid master truncate char declare ; ' % < ></param-value>
</init-param>
<!--split with blank -->
<init-param>
<param-name>encrypting-parameter-names</param-name>
<param-value>username password</param-value>
</init-param>
<!-- error page -->
<init-param>
<param-name>error-page</param-name>
<param-value>/sqlInjectError.jsp</param-value>
</init-param>
<!-- debug -->
<init-param>
<param-name>debug</param-name>
<param-value>false</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>PreventSqlInject</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
2- 实现过滤器 SqlInjectFilter
import java.io.IOException;
import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Set;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.binary.Base64;
public class SqlInjectFilter implements Filter {
// SQL 注入敏感词列表
private static List<String> sensWords = new ArrayList<String>();
// Base64 加密参数key列表
private static List<String> encrParams=new ArrayList<String>();
// 错误页面
private static String error = "/sqlInjectError.jsp";
// 调试开关
private static boolean debug = false;
@Override
public void destroy() {
}
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain fc)
throws IOException, ServletException {
if (debug) {
System.out.println("prevent sql inject filter works");
}
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
request.setCharacterEncoding("UTF-8");
Set<String> keys = request.getParameterMap().keySet();
for (String key : keys) {
String value = request.getParameter(key);
if(encrParams.contains(key)){
value=new String(Base64.decodeBase64(value.getBytes()));
}
if (debug) {
System.out.println(MessageFormat.format("{0}={1}", key,value));
}
for (String word : sensWords) {
if( value.toUpperCase().contains(word.toUpperCase()) ){
request.getSession().setAttribute(
"sqlInjectError",
"the request parameter \"" + value
+ "\" contains keyword: \"" + word + "\"");
response.sendRedirect(request.getContextPath() + error);
return;
}
}
}
fc.doFilter(req, res);
}
@Override
public void init(FilterConfig conf) throws ServletException {
String sSensiWord = conf.getInitParameter("sensitive-words");
String sEncryParam = conf.getInitParameter("encrypting-parameter-names");
String errorPage = conf.getInitParameter("error-page");
String de = conf.getInitParameter("debug");
if (errorPage != null) {
error = errorPage;
}
if(sSensiWord!=null){
sensWords=Arrays.asList(sSensiWord.split(" "));
}
if(sEncryParam!=null){
encrParams=Arrays.asList(sEncryParam.split(" "));
}
if (de != null && Boolean.parseBoolean(de)) {
debug = true;
System.out.println("PreventSQLInject Filter staring...");
System.out.println("print filter details");
System.out.println("sensitive words as fllows (split with blank):");
for (String s : sensWords) {
System.out.print(s + " ");
}
System.out.println();
System.out.println("encrypting parameter key as fllows (split with blank):");
for (String s : encrParams) {
System.out.print(s + " ");
}
System.out.println();
System.out.println("error page as fllows");
System.out.println(error);
System.out.println();
}
}
}
3-新增 errorPage 页面 sqlInjectError.jsp
<%@ page language="java" import="java.util.*" contentType="text/html;charset=utf-8" %>
<%
String path = request.getContextPath();
%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>防sql注入系统</title>
</head>
<body>
<h6>
<font color="red">这个是防sql注入系统,自动过滤您的请求,请更换请求字符串。 </font>
<%=session.getAttribute("sqlInjectError")%>
</h6>
</body>
</html>