我从网上下载了一下代码!当我抄入我的程序是数据库一直抛出空指针!publicclassSQLFilterimplementsFilter{privateStringinj_str="'|and|exec|insert|select|delete|update|count|*|...
我从网上下载了一下代码!当我抄入我的程序是数据库一直抛出空指针!
public class SQLFilter implements Filter
{
private String inj_str = "'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare|; |or|-|+|,";
protected FilterConfig filterConfig = null;
/*Should a character encoding specified by the client be ignored? */
protected boolean ignore = true;
public void destroy(){}
public void init(FilterConfig config) throws ServletException
{
this.filterConfig = config;
this.inj_str = filterConfig.getInitParameter("keywords");
}
public void doFilter(ServletRequest request, ServletResponse response,FilterChain chain) throws IOException, ServletException
{
HttpServletRequest req = (HttpServletRequest)request;
HttpServletResponse res= (HttpServletResponse)response;
Iterator values = req.getParameterMap().values().iterator();//获取所有的表单参数
while(values.hasNext())
{
String[] value = (String[])values.next();
for(int i = 0;i < value.length;i++)
{
if(sql_inj(value[i]))
{
//TODO这里发现sql注入代码的业务逻辑代码
return;
}
}
}
chain.doFilter(request, response); //他的作用是将请求转发给过滤器链上下一个对象
}
public boolean sql_inj(String str)
{
String[] inj_stra=inj_str.split("\\|"); //split() 方法用于把一个字符串分割成字符串数组
for(int i=0 ; i < inj_stra.length ; i++ )
{
if(str.indexOf(" "+inj_stra[i]+" ")>=0) //输入的信息与inj_str所定义的元素进相比较, =>0表示已经注入的SQL语句
{
return true;
}
}
return false;
}
}
错误信息
java.lang.NullPointerException
security.SQLFilter.sql_inj(SQLFilter.java:52)
security.SQLFilter.doFilter(SQLFilter.java:41)
我输入了value的值,全都是乱码!求解!在线等!
我现在需要验证的是管理员的登陆,内容有编码与密码!
展开