1- 配置web.xml,增加过滤器配置
PreventSqlInject
SqlInjectFilter
sensitive-words
select insert delete from update create destory drop alter and or like exec count chr mid master truncate char declare ; ' % < >
encrypting-parameter-names
username password
error-page
/sqlInjectError.jsp
debug
false
PreventSqlInject
/*
2- 实现过滤器 SqlInjectFilter
import java.io.IOException;
import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Set;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.binary.Base64;
public class SqlInjectFilter implements Filter {
// SQL 注入敏感词列表
private static List sensWords = new ArrayList();
// Base64 加密参数key列表
private static List encrParams=new ArrayList();
// 错误页面
private static String error = "/sqlInjectError.jsp";
// 调试开关
private static boolean debug = false;
@Override
public void destroy() {
}
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain fc)
throws IOException, ServletException {
if (debug) {
System.out.println("prevent sql inject filter works");
}
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
request.setCharacterEncoding("UTF-8");
Set keys = request.getParameterMap().keySet();
for (String key : keys) {
String value = request.getParameter(key);
if(encrParams.contains(key)){
value=new String(Base64.decodeBase64(value.getBytes()));
}
if (debug) {
System.out.println(MessageFormat.format("{0}={1}", key,value));
}
for (String word : sensWords) {
if( value.toUpperCase().contains(word.toUpperCase()) ){
request.getSession().setAttribute(
"sqlInjectError",
"the request parameter \"" + value
+ "\" contains keyword: \"" + word + "\"");
response.sendRedirect(request.getContextPath() + error);
return;
}
}
}
fc.doFilter(req, res);
}
@Override
public void init(FilterConfig conf) throws ServletException {
String sSensiWord = conf.getInitParameter("sensitive-words");
String sEncryParam = conf.getInitParameter("encrypting-parameter-names");
String errorPage = conf.getInitParameter("error-page");
String de = conf.getInitParameter("debug");
if (errorPage != null) {
error = errorPage;
}
if(sSensiWord!=null){
sensWords=Arrays.asList(sSensiWord.split(" "));
}
if(sEncryParam!=null){
encrParams=Arrays.asList(sEncryParam.split(" "));
}
if (de != null && Boolean.parseBoolean(de)) {
debug = true;
System.out.println("PreventSQLInject Filter staring...");
System.out.println("print filter details");
System.out.println("sensitive words as fllows (split with blank):");
for (String s : sensWords) {
System.out.print(s + " ");
}
System.out.println();
System.out.println("encrypting parameter key as fllows (split with blank):");
for (String s : encrParams) {
System.out.print(s + " ");
}
System.out.println();
System.out.println("error page as fllows");
System.out.println(error);
System.out.println();
}
}
}
3-新增 errorPage 页面 sqlInjectError.jsp
String path = request.getContextPath();
%>
HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
防sql注入系统这个是防sql注入系统,自动过滤您的请求,请更换请求字符串。