java 过滤器filter防sql注入的实现代码

java 过滤器filter防sql注入的实现代码

实例如下：

XSSFilter.java

public void doFilter(ServletRequest servletrequest,

ServletResponse servletresponse, FilterChain filterchain)

throws IOException, ServletException {

//flag = true 只做URL验证; flag = false 做所有字段的验证;

boolean flag = true;

if(flag){

//只对URL做xss校验

HttpServletRequest httpServletRequest = (HttpServletRequest) servletrequest;

HttpServletResponse httpServletResponse = (HttpServletResponse) servletresponse;

String requesturi = httpServletRequest.getRequestURL().toString();

requesturi = URLDecoder.decode(requesturi, "UTF-8");

if(requesturi!=null&&requesturi.indexOf("alipay_hotel_book_return.html")!=-1){

filterchain.doFilter(servletrequest, servletresponse);

return;

}

if(requesturi!=null&&requesturi.indexOf("account_bank_return.html")!=-1){

filterchain.doFilter(servletrequest, servletresponse);

return;

}

if(requesturi!=null&&requesturi.indexOf("/alipay/activity.html")!=-1){

filterchain.doFilter(servletrequest, servletresponsehttp://);

return ;

}

if(requesturi!=null&&requesturi.indexOf("/alipayLogin.html")!=-1){

filterchain.doFilter(servletrequest, servletresponse);

return ;

}

RequestWrapper rw = new RequestWrapper(httpServletRequest);

String param = httpServletRequest.getQueryString();

if(!"".equals(param) && param != null) {

param = URLDecoder.decode(param, "UTF-8");

String originalurl = requesturi + param;

String sqlParam = param;

//添加sql注入的判断

if(requesturi.endsWith("/askQuestion.html") || requesturi.endsWith("/member/answer.html")){

sqlParam = rw.cleanSQLInject(param);

}

String xssParam = rw.cleanXSS(sqlParam);

requesturi += "?"+xssParam;

if(!xssParam.equals(param)){

System.out.println("requesturi::::::"+requesturi);

httpServletResponse.sendRedirect(requesturi);

System.out.println("no entered.");

// filterchain.doFilter(new RequestWrapper((HttpServletRequest) servletrequest), servletresponse);

return ;

}

}

filterchain.doFilter(servletrequest, servletresponse);

}else{

//对请求中的所有东西都做校验，包括表单。此功能校验比较严格容易屏蔽表单正常输入，使用此功能请注意。

filterchain.doFilter(new RequestWrapper((HttpServletRequest) servletrequest), servletresponse);

}

}

requestMapping:

public RequestWrapper(){

super(null);

}

public RequestWrapper(HttpServletRequest httpservletrequest) {

super(httpservletrequest);

}

public String[] getParameterValues(String s) {

String str[] = super.getParameterValues(s);

if (str == null) {

return null;

}

int i = str.length;

String as1[] = new String[i];

for (int j = 0; j < i; j++) {

as1[j] = cleanXSS(cleanSQLInject(str[j]));

}

return as1;

}

public String getParameter(String s) {

String s1 = super.getParameter(s);

if (s1 == null) {

return null;

} else {

return cleanXSS(cleanSQLInject(s1));

}

}

public String getHeader(String s) {

String s1 = super.getHeader(s);

if (s1 == null) {

return null;

} else {

return cleanXSS(cleanSQLInject(s1));

}

}

public String cleanXSS(String src) {

String temp =src;

System.out.println("xss---temp-->"+src);

src = src.replaceAll("<", "<").replaceAll(">", ">");

// if (src.indexOf("address")==-1)

// {

src = src.replaceAll("\\(", "(").replaceAll("\\)", ")");

//}

src = src.replaceAll("'", "'");

Pattern pattern=Pattern.compile("(eval\\((.*)\\)|script)",Pattern.CASE_INSENSITIVE);

Matcher matcher=pattern.matcher(src);

src = matcher.replaceAll("");

pattern=Pattern.compile("[\\\"\\'][\\s]*javascript:(.*)[\\\"\\']",Pattern.CASE_INSENSITIVE);

matcher=pattern.matcher(src);

src = matcher.replaceAll("\"\"");

//增加脚本

src = src.replaceAll("script", "").replaceAll(";", "")

.replaceAll("\"", "").replaceAll("@", "")

.replaceAll("0x0d", "")

.replaceAll("0x0a", "").replaceAll(",", "");

if(!temp.equals(src)){

System.out.println("输入信息存在xss攻击！");

System.out.println("原始输入信息-->"+temp);

System.out.println("处理后信息-->"+src);

}

return src;

}

//需要增加通配，过滤大小写组合

public String cleanSQLInject(String src) {

String temp =src;

src = src.replaceAll("insert", "forbidI")

.replaceAll("select", "forbidS")

.replaceAll("update", "forbidU")

.replaceAll("delete", "forbidD")

.replaceAll("and", "forbidA")

.replaceAll("or", "forbidO");

if(!temp.equals(src)){

System.out.println("输入信息存在SQL攻击！");

System.out.println("原始输入信息-->"+temp);

System.out.println("处理后信息-->"+src);

}

return src;

}

xml配置：

XssFilter

cn.com.jsoft.xss.XSSFilter

encoding

UTF-8

XssFilter

/*

以上代码仅仅将特殊的sql字符，特殊script脚本字符处理掉，具体的页面处理还需要后台处理！！

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。