系统软件防止SQL注入的过滤器

首先在系统了写个过滤器。
public class AntiSqlInjectionfilter implements Filter{
public void destroy() {       
// TODO Auto-generated method stub   
}         
public void init(FilterConfig arg0) throws ServletException {   
// TODO Auto-generated method stub    
}          
public void doFilter(ServletRequest args0, ServletResponse args1, FilterChain chain) throws IOException, ServletException {
HttpServletRequest req=(HttpServletRequest)args0;     
ServletResponse res=(ServletResponse)args1;      
//获得所有请求参数名       
Enumeration params = req.getParameterNames();     
String sql = "";       

String url=((HttpServletRequest) args0).getRequestURI();
if(url.contains("/cgw/admin")){
chain.doFilter(args0,args1);  
}else{
while (params.hasMoreElements()) { 
//得到参数名            
String name = params.nextElement().toString();        
//System.out.println("参数:" + name + "--");            
//得到参数对应值           
String[] value = req.getParameterValues(name);           
for (int i = 0; i < value.length; i++) {               
sql = sql + value[i];           
}         }        
//有sql关键字，跳转到error.html   
//System.out.println(sql);

if (sqlValidate(sql)) {    
org.springframework.context.ApplicationContext ctx = org.springframework.web.context.support.WebApplicationContextUtils.getWebApplicationContext(((HttpServletRequest) args0).getSession().getServletContext());
com.jeecms.cms.manager.main.CmsLogMng log =
     ( com.jeecms.cms.manager.main.CmsLogMng)ctx.getBean("cmsLogMng");
com.jeecms.cms.manager.main.CmsUserMng user =
     ( com.jeecms.cms.manager.main.CmsUserMng)ctx.getBean("cmsUserMng");
SimpleDateFormat format = new SimpleDateFormat("yyyy-MM-dd H:m:s");
CmsLog cmslog =new CmsLog();
cmslog.setContent("攻击URL:"+((HttpServletRequest) args0).getRequestURI()+" 参数:"+sql+" 时间:"+format.format(new Date()));
cmslog.setIp(((HttpServletRequest) args0).getLocalAddr());
cmslog.setUrl(((HttpServletRequest) args0).getRequestURI());
cmslog.setTime(new Date());
cmslog.setTitle("网站受到访问攻击");
cmslog.setUser(user.findByUsername("admin"));
cmslog.setCategory(2);
log.save(cmslog);
RequestDispatcher requestDispatcher = args0
.getRequestDispatcher("/error.jsp");
requestDispatcher.forward(args0, args1);
//throw new IOException("您发送请求中的参数中含有非法字符");   
//String ip = req.getRemoteAddr();        
} else {          
chain.doFilter(args0,args1);   
}    
}

}         
     //效验  
protected static boolean sqlValidate(String str) {    
str = str.toLowerCase();//统一转为小写      
String badStr = "'|script|admin|iframe|test|img|body|div|exec|insert|select|delete|update|count|*|mid|master|truncate|char|declare|frameset|ilayer|layer|bgsound|base|onabort|onactivate|onafterprint|onafterupdate|onbeforeactivate|onbeforecopy|onbeforecut|onbeforedeactivate|onbeforeeditfocus|onbeforepaste|onbeforeprint|onbeforeunload|onbeforeupdate|onblur|onbounce|oncellchange|onchange|onclick|oncontextmenu|oncontrolselect|oncopy|oncut|ondataavailable|ondatasetchanged|ondatasetcomplete|ondblclick|ondeactivate|ondrag|ondragend|ondragenter|ondragleave|ondragover|ondragstart|ondrop|onerror|onerrorupdate|onfilterchange|onfinish|onfocus|onfocusin|onfocusout|onhelp|onkeydown|onkeypress|onkeyup|onlayoutcomplete|onload|onlosecapture|onmousedown|onmouseenter|onmouseleave|onmousemove|onmouseout|onmouseover|onmouseup|onmousewheel|onmove|onmoveend|onmovestart|onpaste|onpropertychange|onreadystatechange|onreset|onresize|onresizeend|onresizestart|onrowenter|onrowexit|onrowsdelete|onrowsinserted|onscroll|onselect|onselectionchange|onselectstart|onstart|onstop|onsubmit|onunload";
//过滤掉的sql关键字，可以手动添加        
String[] badStrs = badStr.split("\\|");

for (int i = 0; i < badStrs.length; i++) {  

if (str.indexOf(badStrs[i])!=-1) {         
return true;         
}      
}      
return false;   
}

public static String getSafeStringXSS(String s){
    if (s == null || "".equals(s)) { 
        return s; 
    } 
    StringBuilder sb = new StringBuilder(s.length() + 16); 
    for (int i = 0; i < s.length(); i++) { 
        char c = s.charAt(i); 
        switch (c) { 
        case '<': 
            sb.append("&lt;"); 
            break;
        case '>': 
            sb.append("&gt;"); 
            break; 
        case '\'': 
            sb.append("&prime;");// &acute;"); 
            break; 
        case '′': 
            sb.append("&prime;");// &acute;"); 
            break; 
        case '\"': 
            sb.append("&quot;"); 
            break; 
        case '＂': 
            sb.append("&quot;"); 
            break; 
        case '&': 
            sb.append("＆"); 
            break; 
        case '#': 
            sb.append("＃"); 
            break; 
        case '\\': 
            sb.append('￥'); 
            break;
        case '=': 
            sb.append("&#61;"); 
            break;
        default: 
            sb.append(c); 
            break; 
        } 
    } 
    return sb.toString();
}

}
然后再web.xml配置下<!-- 防止SQL注入的过滤器   --> 
  <filter>       
   <filter-name>antiSqlInjection</filter-name>    
   <filter-class>com.jeecms.cms.AntiSqlInjectionfilter</filter-class>   
  </filter>    
  <filter-mapping>        
        <filter-name>antiSqlInjection</filter-name>      
          <url-pattern>/*</url-pattern>   
  </filter-mapping> 
</web-app>