普通的列表模糊查询,可能会被sql注入利用,造成数据泄漏,严重的甚至导致删表删库!
貌似正常的sql语句
SELECT * FROM tblStudent WHERE unit_name like '%aaa%' order by create_time desc limit 0, 30 ;
倘若想要借此进行sql注入,input输入框中输入aaa%' or '1%' = '1,则sql语句被拼接为
SELECT * FROM tblStudent WHERE unit_name like '%aaa%' or '1%'='1%' order by create_time desc limit 0, 30
这似乎无关痛痒,倘若input输入框换成sql语句成为 aaa%';drop table tbl_test;#
SELECT * FROM tblStudent WHERE unit_name like '%aaa%';drop table tbl_test;#%' order by create_time desc limit 0, 30;
#表示注释,那么独立出sql语句,造成删表。
drop table tbl_test;
那么最好的解决方式就是拦截器或者过滤器来统一处理请求的参数
package com.guiyang.education.filter;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Enumeration;
public class SqlInjectFilter implements Filter {
public void destroy() {
}
public void init(FilterConfig arg0) throws ServletException {
}
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
// 获得所有请求参数名
Enumeration params = request.getParameterNames();
String sql = "";
while (params.hasMoreElements()) {
// 得到参数名
String name = params.nextElement().toString();
// 得到参数对应值
String[] value = request.getParameterValues(name);
for (int i = 0; i < value.length; i++) {
sql = sql + value[i];
}
}
if (sqlValidate(sql)) {
throw new IOException("您发送请求中的参数中含有非法字符");
} else {
chain.doFilter(request, response);
}
}
/**
* 参数校验
* @param str
*/
public static boolean sqlValidate(String str) {
str = str.toLowerCase();//统一转为小写
String badStr = "select|update|and|or|delete|insert|truncate|char|into|substr|ascii|declare|exec|count|master|into|drop|execute|table";
String[] badStrs = badStr.split("|");
for (int i = 0; i < badStrs.length; i++) {
//循环检测,判断在请求参数当中是否包含SQL关键字
if (str.indexOf(badStrs[i]) >= 0) {
return true;
}
}
return false;
}
}
然后在web.xml我们配置这个过滤器就ok了
<!-- 防止sql注入过滤器 -->
<filter>
<filter-name>SqlInjectFilter</filter-name>
<filter-class>com.guiyang.education.filter.SqlInjectFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>SqlInjectFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>