因为竖线|在有特殊含义,所以我们要进行转义后分割。badStr.split("\|");
所以具体的写法就是:protected static boolean sqlValidate(String str) {
str = str.toLowerCase();//统一转为小写
String badStr = "'|and|exec|waitfot|delay|sysusers|html|function|group by|database|user|system_user|session_user|substring|" +
"sysobjects|chongqing|script|ajax|execute|insert|select|delete|update|count|drop|*|%|chr|mid|master|truncate|" +
"char|declare|sitename|net user|xp_cmdshell|like'|create|table|from|grant|use|group_concat|column_name|" +
"information_schema.columns|table_schema|union|where|order|by|--|+|like|#";//过滤掉的sql关键字,可以手动添加
String[] badStrs = badStr.split("\|");
for (int i = 0; i
//循环检测,判断在请求参数当中是否包含SQL关键字
if (str.indexOf(badStrs[i]) >= 0) {
return true;
}
}
return false;
}