<!-- 防SQL注入过滤 --> <filter> <filter-name>SqlInjectFilter</filter-name> <filter-class>com.vprisk.vpframe.sys.security.filter.SqlInjectFilter</filter-class> <!-- 过滤前台传入的参数,可手动添加或删减,以“|”分割 --> <init-param> <param-name>sqlInjectStrList</param-name> <param-value>'|or|and|;|--|+|like|//|/|*|%|#</param-value> </init-param> </filter> <filter-mapping> <filter-name>SqlInjectFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> /*******************class*****************************/ package com.vprisk.vpframe.sys.security.filter; import java.io.IOException; import java.util.Enumeration; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; public class SqlInjectFilter implements Filter{ public FilterConfig config; @Override public void destroy() { this.config = null; } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest httprequest = (HttpServletRequest) request; // 获得所有请求参数名 Enumeration<?> params = httprequest.getParameterNames(); String sql = ""; while (params.hasMoreElements()) { // 得到参数名 String name = params.nextElement().toString(); if("username".equals(name) || "password".equals(name)){ continue; } // 得到参数对应值 String[] value = httprequest.getParameterValues(name); for (int i = 0; i < value.length; i++) { sql = sql + value[i]; } } // 过滤掉的SQL关键字,可以手动添加 // if(""!= sql){ String sqlInjectStrList = config.getInitParameter("sqlInjectStrList"); if (sqlValidate(sql, sqlInjectStrList)) { throw new IOException("请输入有效字符"); // 重定向或跳转,略... } else { chain.doFilter(request, response); } // } } // 校验SQL protected static boolean sqlValidate(String str, String sqlInjectStrList) { // 统一转为小写 str = str.toLowerCase(); System.out.println("==================================="+str); // 转换为数组 String[] badStrs = sqlInjectStrList.split("\\|"); for (int i = 0; i < badStrs.length; i++) { if(str.indexOf(",")>=0){ String strData [] = str.split(","); for(int j = 0; j < strData.length; j++) { if( strData[j].indexOf("org") >=0 || strData[j].indexOf("for") >=0|| "custshortname".equals(strData[j]) || "custcategory".equals(strData[j]) || "abnormaloperation".equals(strData[j]) || strData[j].indexOf("cator") >=0 || "amorttype".equals(strData[j]) ||strData[j].indexOf("poormoney") >=0){ continue; } if (strData[j].indexOf(badStrs[i]) >= 0) { return true; } } }else{ if(str.indexOf("cator") <0){ // 检索 organ if (str.indexOf(badStrs[i]) >= 0) { return true; } } } } return false; } @Override public void init(FilterConfig filterConfig) throws ServletException { config = filterConfig; } } |
|
来自: 柳7it48xq2tc7q > 《日常总结》