java编程
搜索
分类

java 过滤器filter防sql注入的实现代码

作者:jingxian 时间:2023-08-30 09:56:40 

实例如下:

XSSFilter.java


public void doFilter(ServletRequest servletrequest,
ServletResponse servletresponse, FilterChain filterchain)
throws IOException, ServletException {

//flag = true 只做URL验证; flag = false 做所有字段的验证;
boolean flag = true;
if(flag){
//只对URL做xss校验
HttpServletRequest httpServletRequest = (HttpServletRequest) servletrequest;
HttpServletResponse httpServletResponse = (HttpServletResponse) servletresponse;

String requesturi = httpServletRequest.getRequestURL().toString();
requesturi = URLDecoder.decode(requesturi, "UTF-8");
if(requesturi!=null&&requesturi.indexOf("alipay_hotel_book_return.html")!=-1){
filterchain.doFilter(servletrequest, servletresponse);
return;
}
if(requesturi!=null&&requesturi.indexOf("account_bank_return.html")!=-1){
filterchain.doFilter(servletrequest, servletresponse);
return;
}
if(requesturi!=null&&requesturi.indexOf("/alipay/activity.html")!=-1){
filterchain.doFilter(servletrequest, servletresponse);
return ;
}
if(requesturi!=null&&requesturi.indexOf("/alipayLogin.html")!=-1){
filterchain.doFilter(servletrequest, servletresponse);
return ;
}
RequestWrapper rw = new RequestWrapper(httpServletRequest);
String param = httpServletRequest.getQueryString();
if(!"".equals(param) && param != null) {
param = URLDecoder.decode(param, "UTF-8");
String originalurl = requesturi + param;

String sqlParam = param;
//添加sql注入的判断
if(requesturi.endsWith("/askQuestion.html") || requesturi.endsWith("/member/answer.html")){
sqlParam = rw.cleanSQLInject(param);
}

String xssParam = rw.cleanXSS(sqlParam);
requesturi += "?"+xssParam;

if(!xssParam.equals(param)){
System.out.println("requesturi::::::"+requesturi);
httpServletResponse.sendRedirect(requesturi);
System.out.println("no entered.");
//filterchain.doFilter(new RequestWrapper((HttpServletRequest) servletrequest), servletresponse);
return ;
}
}
filterchain.doFilter(servletrequest, servletresponse);
}else{

//对请求中的所有东西都做校验,包括表单。此功能校验比较严格容易屏蔽表单正常输入,使用此功能请注意。
filterchain.doFilter(new RequestWrapper((HttpServletRequest) servletrequest), servletresponse);
}
}
requestMapping:

public RequestWrapper(){
super(null);
}

public RequestWrapper(HttpServletRequest httpservletrequest) {
super(httpservletrequest);
}

public String[] getParameterValues(String s) {
String str[] = super.getParameterValues(s);
if (str == null) {
return null;
}
int i = str.length;
String as1[] = new String[i];
for (int j = 0; j < i; j++) {
as1[j] = cleanXSS(cleanSQLInject(str[j]));
}

return as1;
}

public String getParameter(String s) {
String s1 = super.getParameter(s);
if (s1 == null) {
return null;
} else {
return cleanXSS(cleanSQLInject(s1));
}
}

public String getHeader(String s) {
String s1 = super.getHeader(s);
if (s1 == null) {
return null;
} else {
return cleanXSS(cleanSQLInject(s1));
}
}

public String cleanXSS(String src) {
String temp =src;

System.out.println("xss---temp-->"+src);
   src = src.replaceAll("<", "<").replaceAll(">", ">");
   // if (src.indexOf("address")==-1)
//{
    src = src.replaceAll("\\(", "(").replaceAll("\\)", ")");
//}

src = src.replaceAll("'", "'");

Pattern pattern=Pattern.compile("(eval\\((.*)\\)|script)",Pattern.CASE_INSENSITIVE);  
 Matcher matcher=pattern.matcher(src);  
 src = matcher.replaceAll("");

pattern=Pattern.compile("[\\\"\\'][\\s]*javascript:(.*)[\\\"\\']",Pattern.CASE_INSENSITIVE);
 matcher=pattern.matcher(src);
 src = matcher.replaceAll("\"\"");

//增加脚本
 src = src.replaceAll("script", "").replaceAll(";", "")
 .replaceAll("\"", "").replaceAll("@", "")
 .replaceAll("0x0d", "")
 .replaceAll("0x0a", "").replaceAll(",", "");

if(!temp.equals(src)){
System.out.println("输入信息存在xss攻击!");
System.out.println("原始输入信息-->"+temp);
System.out.println("处理后信息-->"+src);
}
return src;
}

//需要增加通配,过滤大小写组合
public String cleanSQLInject(String src) {
String temp =src;
   src = src.replaceAll("insert", "forbidI")
   .replaceAll("select", "forbidS")
   .replaceAll("update", "forbidU")
   .replaceAll("delete", "forbidD")
   .replaceAll("and", "forbidA")
   .replaceAll("or", "forbidO");

if(!temp.equals(src)){
System.out.println("输入信息存在SQL攻击!");
System.out.println("原始输入信息-->"+temp);
System.out.println("处理后信息-->"+src);
}
return src;
}

xml配置:


<filter>
<filter-name>XssFilter</filter-name>
<filter-class>cn.com.jsoft.xss.XSSFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>XssFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

以上代码仅仅将特殊的sql字符,特殊script脚本字符处理掉,具体的页面处理还需要后台处理!!

关于这篇java 过滤器filter防sql注入的实现代码就是小编分享给大家的全部内容了,希望能给大家一个参考,也希望大家多多支持脚本之家。

标签:java,filter,过滤器
0
投稿

猜你喜欢

  • 浅析SpringCloud Alibaba-Nacos 作为注册中心示例代码

    2022-12-04 14:24:00

  • Java实现几种常见排序算法代码

    2022-10-10 20:42:19

  • Android编程之TextView的字符过滤功能分析

    2023-05-19 20:23:36

  • c# volatile 关键字的拾遗补漏

    2022-10-20 04:39:09

  • 关于Future机制原理及解析

    2022-01-23 03:57:48

  • Windows实现Flutter环境搭建及配置这一篇就够了

    2023-07-03 22:49:30

  • C#实现封面图片生成器的示例代码

    2023-05-15 11:05:58

  • C#图像颜色聚类高效方法实例

    2021-09-29 09:14:41

  • SpringBoot中默认缓存实现方案的示例代码

    2023-11-24 05:50:30

  • Android列表实现(3)_自定义列表适配器思路及实现代码

    2023-08-09 09:02:45

  • Android实现网易新闻客户端侧滑菜单(1)

    2023-09-12 00:54:05

  • Android开发ThreadPoolExecutor与自定义线程池详解

    2022-03-17 18:16:22

  • unity学习教程之定制脚本模板示例代码

    2022-02-18 05:07:08

  • Java生成word文档的示例详解

    2022-02-11 19:37:47

  • Java经典面试题汇总:网络编程

    2021-12-12 11:53:33

  • C++实现String类的方法详解

    2023-04-27 08:49:27

  • Java实现部门员工管理

    2021-07-21 21:40:41

  • JAVA语言编程格式高级规范

    2021-08-21 01:43:54

  • mybatis防止SQL注入的方法实例详解

    2022-08-14 03:06:57

  • Android绘制钟表的方法

    2023-09-01 13:18:03
    • asp之家 软件编程 m.aspxhome.com