标签:Java String contains value paramValue SQL import servletRequest 注入
package com.filter;
import com.utils.StringUtils;
import org.springframework.stereotype.Component;
import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
/**
* sql注入过滤器
*/
@Component
@WebFilter(urlPatterns = "/*", filterName = "SQLInjection")
public class SqlInjectFilter implements Filter {
private static String regx = "(?:')|(?:--)|(/\\*(?:.|[\\n\\r])*?\\*/)|(\\b(select|update|and|or|delete|insert|trancate|char|into|substr|ascii|declare|exec|count|master|into|drop|execute)\\b)";
private static Set<String> notAllowedKeyWords = new HashSet<String>(0);
private static String replacedString = "INVALID";
static {
String keyStr[] = regx.split("\\|");
for (String str : keyStr) {
notAllowedKeyWords.add(str);
}
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) servletRequest;
Map parametersMap = servletRequest.getParameterMap();
Iterator it = parametersMap.entrySet().iterator();
while (it.hasNext()) {
Map.Entry entry = (Map.Entry) it.next();
String[] value = (String[]) entry.getValue();
for (int i = 0; i < value.length; i++) {
if (null != value[i] && checkSqlKeyWords(value[i])) {
/*可根据业务场景切换*/
value[i] = cleanSqlKeyWords(value[i]);
// servletRequest.setAttribute("err", "您输入的参数有非法字符,请输入正确的参数!");
// servletRequest.setAttribute("pageUrl", req.getRequestURI());
// servletRequest.getRequestDispatcher(servletRequest.getServletContext().getContextPath() + "/error").forward(servletRequest, servletResponse);
// return ;
}
}
}
filterChain.doFilter(servletRequest,servletResponse);
}
private String cleanSqlKeyWords(String value){
String paramValue = value;
for (String keyWord : notAllowedKeyWords) {
if (paramValue.length() > keyWord.length() && (paramValue.contains(" "+keyWord)||paramValue.contains(keyWord+" ")||paramValue.contains(" "+keyWord+" ")||paramValue.contains(keyWord))) {
paramValue = paramValue.replace(keyWord,"");
}
}
return paramValue;
}
public boolean checkSqlKeyWords(String value){
String paramValue = value;
for (String keyword : notAllowedKeyWords) {
if (paramValue.length() > keyword.length() && (paramValue.contains(" "+keyword)||paramValue.contains(keyword+" ")||paramValue.contains(" "+keyword+" ")||paramValue.contains(keyword))) {
return true;
}
}
return false;
}
@Override
public void destroy(){
}
}
标签:Java,String,contains,value,paramValue,SQL,import,servletRequest,注入 来源: https://www.cnblogs.com/yyhhblog/p/15211847.html
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。