web.xml 中配置如下
<filter-mapping>
<filter-name>SQLFilter</filter-name>
<url-pattern>*.shtml</url-pattern>
</filter-mapping>
<filter>
<filter-name>SQLFilter</filter-name>
<filter-class>com.zte.frame.filter.SQLFilter</filter-class>
<init-param>
<param-name>keywords</param-name>
<param-value>'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare|;|or|-|+|,|--</param-value>
</init-param>
</filter>
--后台代码如下:
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest)request;
HttpServletResponse res = (HttpServletResponse)response;
Iterator values = req.getParameterMap().values().iterator();//获取所有的表单参数
while(values.hasNext()){
String[] value = (String[])values.next();
for(int i = 0;i < value.length;i++){
if(sql_inj(value[i])){
//TODO这里发现sql注入代码的业务逻辑代码
log.info("------------参数中包含非法字符----'" +value[i]+ "'----------");
PrintWriter out = res.getWriter();
out.print("<Script Language='javascript'>alert('参数中包含非法字符!');</Script>");
out.close();
return ;
}
}
}
chain.doFilter(request, response);
}