《JAVA拦截器拦截SQL注入.docx》由会员分享,可在线阅读,更多相关《JAVA拦截器拦截SQL注入.docx(7页珍藏版)》请在三一办公上搜索。
1、JAVA拦截器拦截SQL注入import java.io.IOException;import java.util.Enumeration;import java.util.HashMap;import java.util.Map;import javax.servlet.Filter;import javax.servlet.FilterChain;import javax.servlet.FilterConfig;import javax.servlet.ServletException;import javax.servlet.ServletRequest;import javax.se
2、rvlet.ServletResponse;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import javax.servlet.http.HttpSession;import org.slf4j.Logger;import org.slf4j.LoggerFactory;import org.springframework.web.context.support.SpringBeanAutowiringSupport;import com.gsww.jzf
3、p.util.JsonParser;import com.gsww.jzfp.util.StringHelper;public class ParameterFilter implements Filter private Logger log = LoggerFactory.getLogger(getClass);public void init(FilterConfig filterConfig) throws ServletException log.info(Initializing filter ParameterFilter);SpringBeanAutowiringSupport
4、.processInjectionBasedOnServletContext(this,filterConfig.getServletContext);public void doFilter(ServletRequest request, ServletResponse response,FilterChain chain) throws IOException, ServletException HttpSession session = (HttpServletRequest) request).getSession;HttpServletRequest _request = (Http
5、ServletRequest) request;String path = _request.getServletPath;HttpServletRequest req=(HttpServletRequest)request; HttpServletResponse res=(HttpServletResponse)response; /获得所有请求参数名 Enumeration params = req.getParameterNames; String ctxpath = req.getContextPath;String sql = ; while (params.hasMoreElem
6、ents) /得到参数名 String name = params.nextElement.toString; / System.out.println(name= + name + -); /得到参数对应值 String value = req.getParameterValues(name); for (int i = 0; i < value.length; i+) / System.out.println(value= + valuei + -); sql = sql + valuei; / System.out.println(sql);/ sql = StringHelper.
7、characterWord(sql);/ sql = StringHelper.escapeExprSpecialWord(sql);if (this.isSQLOrScript(sql) /if(!this.isAjax(req)log.debug(传入的参数存在非法字符!);this.dispatchLoginPage(request, response, 参数存在非法字符!);/else/ this.initContentResponse(res);/ res.setContentType(application/json;charset=utf-8);/ res.setStatus(4
8、04);/ else chain.doFilter(request, response); / chain.doFilter(request, response);public void destroy /* * Title: dispatchLoginPage * Description: 跳转到登录页面并提示信息* return String 返回类型 */private void dispatchLoginPage(ServletRequest request,ServletResponse response,String msg)String url = request.getServ
9、letContext.getContextPath+/login.jsp;this.responseScript(response,alert(+msg+);top.location.href=+url+;);/* description 初始化响应reponse的信息,对于非跳转响应* return void* throws 初始化失败*/private void initContentResponse(HttpServletResponse response) / 设置响应不缓存response.setHeader(Cache-Control, no-cache);/ 设置响应和请求都不缓
10、存response.setHeader(Cache-Control, no-store);/ 设置文档的过期时间,而不缓存它response.setDateHeader(Expires, 0);response.setHeader(Pragma, no-cache);response.setCharacterEncoding(UTF-8);/* 判断是否SQL注入* param fileExt* return*/private static boolean isSQLOrScript(String str)str = str.toLowerCase;/统一转为小写 String badStr
11、= net user|xp_cmdshell|/add|exec master.dbo.xp_cmdshell| +net localgroup administrators|select|count|asc|mid|insert| +delete from|drop table|update|truncate| + from|%|javascript|script|;String inj_stra = badStr.split(|);for (int i=0 ; i <inj_stra.length ; i+ )if (str.indexOf(inj_strai)>=0)return true;return false;
