其实就是将一些数据库的关键词在用户输入的后通过参数传入后台后,检验用户传入的参数是够包含该数据库的关键词,来过滤掉。可能这样写有一些漏洞,希望大神们前来纠正错误。下面代码贴上。
1 public class SQLInjectionFilter implements Filter{ 2 public void destroy() { 3 // TODO Auto-generated method stub 4 } 5 6 public void init(FilterConfig arg0) throws ServletException { 7 // TODO Auto-generated method stub 8 } 9 10 public void doFilter(ServletRequest request, ServletResponse response, 11 FilterChain chain) throws IOException, ServletException { 12 HttpServletRequest req=(HttpServletRequest) request; 13 HttpServletResponse res=(HttpServletResponse) response; 14 //获得所有请求参数名 15 Enumeration params = req.getParameterNames(); 16 String sql = ""; 17 //获得请求的URL 18 while (params.hasMoreElements()) { 19 //得到参数名 20 String name = params.nextElement().toString(); 21 //得到参数对应值 22 String[] value = req.getParameterValues(name); 23 if(value!=null&&!value[0].equals("-1")){ 24 for (int i = 0; i < value.length; i++) { 25 sql = sql + value[i]; 26 } 27 } 28 } 29 30 //检验输出的参数是否包含关键词 31 if (sqlValidate(sql)) { 32 PrintWriter out = res.getWriter(); 33 out.print("<script>alert('您发送的请求参数中含有非法字符')</script>"); 34 out.close(); 35 }else{ 36 chain.doFilter(request,response); 37 } 38 } 39 40 //归总的sql关键词 41 protected static boolean sqlValidate(String str) { 42 str = str.toLowerCase();//统一转为小写 43 String badStr = "'|and|exec|waitfot|delay|sysusers|html|function|group by|database|user|system_user|session_user|substring|" + 44 "sysobjects|chongqing|script|ajax|execute|insert|select|delete|update|count|drop|*|%|chr|mid|master|truncate|" + 45 "char|declare|sitename|net user|xp_cmdshell|like'|create|table|from|grant|use|group_concat|column_name|" + 46 "information_schema.columns|table_schema|union|where|order|by|--|+|like|#";//过滤掉的sql关键字,可以手动添加 47 String[] badStrs = badStr.split("\\|"); 48 for (int i = 0; i < badStrs.length; i++) { 49 //循环检测,判断在请求参数当中是否包含SQL关键字 50 if (str.indexOf(badStrs[i]) >= 0) { 51 return true; 52 } 53 } 54 return false; 55 }
