首先在系统了写个过滤器。
public class AntiSqlInjectionfilter implements Filter{
public void destroy() {
// TODO Auto-generated method stub
}
public void init(FilterConfig arg0) throws ServletException {
// TODO Auto-generated method stub
}
public void doFilter(ServletRequest args0, ServletResponse args1, FilterChain chain) throws IOException, ServletException {
HttpServletRequest req=(HttpServletRequest)args0;
ServletResponse res=(ServletResponse)args1;
//获得所有请求参数名
Enumeration params = req.getParameterNames();
String sql = "";
String url=((HttpServletRequest) args0).getRequestURI();
if(url.contains("/cgw/admin")){
chain.doFilter(args0,args1);
}else{
while (params.hasMoreElements()) {
//得到参数名
String name = params.nextElement().toString();
//System.out.println("参数:" + name + "--");
//得到参数对应值
String[] value = req.getParameterValues(name);
for (int i = 0; i < value.length; i++) {
sql = sql + value[i];
} }
//有sql关键字,跳转到error.html
//System.out.println(sql);
if (sqlValidate(sql)) {
org.springframework.context.ApplicationContext ctx = org.springframework.web.context.support.WebApplicationContextUtils.getWebApplicationContext(((HttpServletRequest) args0).getSession().getServletContext());
com.jeecms.cms.manager.main.CmsLogMng log =
( com.jeecms.cms.manager.main.CmsLogMng)ctx.getBean("cmsLogMng");
com.jeecms.cms.manager.main.CmsUserMng user =
( com.jeecms.cms.manager.main.CmsUserMng)ctx.getBean("cmsUserMng");
SimpleDateFormat format = new SimpleDateFormat("yyyy-MM-dd H:m:s");
CmsLog cmslog =new CmsLog();
cmslog.setContent("攻击URL:"+((HttpServletRequest) args0).getRequestURI()+" 参数:"+sql+" 时间:"+format.format(new Date()));
cmslog.setIp(((HttpServletRequest) args0).getLocalAddr());
cmslog.setUrl(((HttpServletRequest) args0).getRequestURI());
cmslog.setTime(new Date());
cmslog.setTitle("网站受到访问攻击");
cmslog.setUser(user.findByUsername("admin"));
cmslog.setCategory(2);
log.save(cmslog);
RequestDispatcher requestDispatcher = args0
.getRequestDispatcher("/error.jsp");
requestDispatcher.forward(args0, args1);
//throw new IOException("您发送请求中的参数中含有非法字符");
//String ip = req.getRemoteAddr();
} else {
chain.doFilter(args0,args1);
}
}
}
//效验
protected static boolean sqlValidate(String str) {
str = str.toLowerCase();//统一转为小写
String badStr = "'|script|admin|iframe|test|img|body|div|exec|insert|select|delete|update|count|*|mid|master|truncate|char|declare|frameset|ilayer|layer|bgsound|base|onabort|onactivate|onafterprint|onafterupdate|onbeforeactivate|onbeforecopy|onbeforecut|onbeforedeactivate|onbeforeeditfocus|onbeforepaste|onbeforeprint|onbeforeunload|onbeforeupdate|onblur|onbounce|oncellchange|onchange|onclick|oncontextmenu|oncontrolselect|oncopy|oncut|ondataavailable|ondatasetchanged|ondatasetcomplete|ondblclick|ondeactivate|ondrag|ondragend|ondragenter|ondragleave|ondragover|ondragstart|ondrop|onerror|onerrorupdate|onfilterchange|onfinish|onfocus|onfocusin|onfocusout|onhelp|onkeydown|onkeypress|onkeyup|onlayoutcomplete|onload|onlosecapture|onmousedown|onmouseenter|onmouseleave|onmousemove|onmouseout|onmouseover|onmouseup|onmousewheel|onmove|onmoveend|onmovestart|onpaste|onpropertychange|onreadystatechange|onreset|onresize|onresizeend|onresizestart|onrowenter|onrowexit|onrowsdelete|onrowsinserted|onscroll|onselect|onselectionchange|onselectstart|onstart|onstop|onsubmit|onunload";
//过滤掉的sql关键字,可以手动添加
String[] badStrs = badStr.split("\\|");
for (int i = 0; i < badStrs.length; i++) {
if (str.indexOf(badStrs[i])!=-1) {
return true;
}
}
return false;
}
public static String getSafeStringXSS(String s){
if (s == null || "".equals(s)) {
return s;
}
StringBuilder sb = new StringBuilder(s.length() + 16);
for (int i = 0; i < s.length(); i++) {
char c = s.charAt(i);
switch (c) {
case '<':
sb.append("<");
break;
case '>':
sb.append(">");
break;
case '\'':
sb.append("′");// ´");
break;
case '′':
sb.append("′");// ´");
break;
case '\"':
sb.append(""");
break;
case '"':
sb.append(""");
break;
case '&':
sb.append("&");
break;
case '#':
sb.append("#");
break;
case '\\':
sb.append('¥');
break;
case '=':
sb.append("=");
break;
default:
sb.append(c);
break;
}
}
return sb.toString();
}
}
然后再web.xml配置下<!-- 防止SQL注入的过滤器 -->
<filter>
<filter-name>antiSqlInjection</filter-name>
<filter-class>com.jeecms.cms.AntiSqlInjectionfilter</filter-class>
</filter>
<filter-mapping>
<filter-name>antiSqlInjection</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
系统软件防止SQL注入的过滤器
猜你喜欢
转载自haisny.iteye.com/blog/2294854
今日推荐
周排行