java防止sql注入过滤器

普通的列表模糊查询，可能会被sql注入利用，造成数据泄漏，严重的甚至导致删表删库！

貌似正常的sql语句

SELECT * FROM  tblStudent WHERE  unit_name like '%aaa%' order by  create_time desc limit 0, 30 ;

倘若想要借此进行sql注入，input输入框中输入aaa%'  or  '1%' = '1，则sql语句被拼接为

SELECT * FROM tblStudent WHERE unit_name like '%aaa%' or '1%'='1%' order by create_time desc limit 0, 30

这似乎无关痛痒，倘若input输入框换成sql语句成为   aaa%';drop table tbl_test;#

SELECT * FROM tblStudent WHERE unit_name like '%aaa%';drop table tbl_test;#%' order by create_time desc limit 0, 30;

#表示注释，那么独立出sql语句，造成删表。

drop table tbl_test;

 

 

那么最好的解决方式就是拦截器或者过滤器来统一处理请求的参数

package com.guiyang.education.filter;

import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Enumeration;

public class SqlInjectFilter implements Filter {
    public void destroy() {
    }

    public void init(FilterConfig arg0) throws ServletException {
    }

    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) res;
        // 获得所有请求参数名
        Enumeration params = request.getParameterNames();
        String sql = "";
        while (params.hasMoreElements()) {
            // 得到参数名
            String name = params.nextElement().toString();
            // 得到参数对应值
            String[] value = request.getParameterValues(name);
            for (int i = 0; i < value.length; i++) {
                sql = sql + value[i];
            }
        }
        if (sqlValidate(sql)) {
            throw new IOException("您发送请求中的参数中含有非法字符");
        } else {
            chain.doFilter(request, response);
        }
    }

    /**
     * 参数校验
     * @param str
     */
    public static boolean sqlValidate(String str) {
        str = str.toLowerCase();//统一转为小写
        String badStr = "select|update|and|or|delete|insert|truncate|char|into|substr|ascii|declare|exec|count|master|into|drop|execute|table";
        String[] badStrs = badStr.split("|");
        for (int i = 0; i < badStrs.length; i++) {
            //循环检测，判断在请求参数当中是否包含SQL关键字
            if (str.indexOf(badStrs[i]) >= 0) {
                return true;
            }
        }
        return false;
    }
}

然后在web.xml我们配置这个过滤器就ok了

<!-- 防止sql注入过滤器 -->
    <filter>
        <filter-name>SqlInjectFilter</filter-name>
        <filter-class>com.guiyang.education.filter.SqlInjectFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>SqlInjectFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>