public class SecurityCommLocalUtil { // 防范跨站脚本攻击应该检查以下特殊字符 public static String checkHtmlEncode(String sText) { if (null == sText || sText.length() < 1) return ""; sText = sText.replaceAll("&", "&"); sText = sText.replaceAll("#", "#"); sText = sText.replaceAll("’", ""e;"); sText = sText.replaceAll("\"", ""e;"); sText = sText.replaceAll("<", "<"); sText = sText.replaceAll(">", ">"); return sText; } /** * 根据传入参数进行SQL注入处理 * * @param param * 需要过滤的字符串 * @return 字符串 */ public static String checkSQLImmit(String param) { if (null != param && param.length() > 0) { String[] checkstrLower = new String[] { "select ", "and ", "or ", "update ", "delete ", "insert ", " sysibm", ";", " dual", " declare", "/*", " systables", "length ", " substr", "'", "<", ">", "`" }; String[] checkstrUpper = new String[] { "SELECT ", "AND ", "OR ", "UPDATE ", "DELETE ", "INSERT ", " SYSIBM", ";", " DUAL", " DECLARE", "/*", " SYSTABLES", "LENGTH ", " SUBSTR", "'", "<", ">", "`" }; for (String check : checkstrLower) { if (param.indexOf(check) != -1) { Pattern p = Pattern .compile(check, Pattern.CASE_INSENSITIVE); param = p.matcher(param).replaceAll(" "); } } for (String check : checkstrUpper) { if (param.indexOf(check) != -1) { Pattern p = Pattern .compile(check, Pattern.CASE_INSENSITIVE); param = p.matcher(param).replaceAll(" "); } } } return param; } }
在jsp页面中用该方法包裹request.getAttribute()