源码网商城,靠谱的源码在线交易网站 我的订单 购物车 帮助

源码网商城

申请开店
全部源码分类
首页 源码街 任务需求 版权中心 备案服务 商家入驻

java 过滤器filter防sql注入的实现代码

  • 时间:2020-12-21 11:36 编辑: 来源: 阅读:
  • 扫一扫,手机访问
摘要:java 过滤器filter防sql注入的实现代码
[b]实例如下:[/b] XSSFilter.java 
public void doFilter(ServletRequest servletrequest,
   ServletResponse servletresponse, FilterChain filterchain)
   throws IOException, ServletException {
  

  //flag = true 只做URL验证; flag = false 做所有字段的验证;
  boolean flag = true;
  if(flag){
   //只对URL做xss校验
   HttpServletRequest httpServletRequest = (HttpServletRequest) servletrequest;
   HttpServletResponse httpServletResponse = (HttpServletResponse) servletresponse;
   
   String requesturi = httpServletRequest.getRequestURL().toString();
   requesturi = URLDecoder.decode(requesturi, "UTF-8");
   if(requesturi!=null&&requesturi.indexOf("alipay_hotel_book_return.html")!=-1){
    filterchain.doFilter(servletrequest, servletresponse);
    return;
   }
   if(requesturi!=null&&requesturi.indexOf("account_bank_return.html")!=-1){
    filterchain.doFilter(servletrequest, servletresponse);
    return;
   }
   if(requesturi!=null&&requesturi.indexOf("/alipay/activity.html")!=-1){
    filterchain.doFilter(servletrequest, servletresponse);
    return ;
   }
   if(requesturi!=null&&requesturi.indexOf("/alipayLogin.html")!=-1){
    filterchain.doFilter(servletrequest, servletresponse);
    return ;
   }
   RequestWrapper rw = new RequestWrapper(httpServletRequest);
   String param = httpServletRequest.getQueryString();
   if(!"".equals(param) && param != null) {
    param = URLDecoder.decode(param, "UTF-8");
    String originalurl = requesturi + param;
    
    String sqlParam = param;
    //添加sql注入的判断
    if(requesturi.endsWith("/askQuestion.html") || requesturi.endsWith("/member/answer.html")){
     sqlParam = rw.cleanSQLInject(param);
    }
    
    String xssParam = rw.cleanXSS(sqlParam);
    requesturi += "?"+xssParam;
    
    
    if(!xssParam.equals(param)){
     System.out.println("requesturi::::::"+requesturi);
     httpServletResponse.sendRedirect(requesturi);
     System.out.println("no entered.");
//     filterchain.doFilter(new RequestWrapper((HttpServletRequest) servletrequest), servletresponse);
     return ;
    }
   }
   filterchain.doFilter(servletrequest, servletresponse);
  }else{
   
   //对请求中的所有东西都做校验,包括表单。此功能校验比较严格容易屏蔽表单正常输入,使用此功能请注意。
   filterchain.doFilter(new RequestWrapper((HttpServletRequest) servletrequest), servletresponse);
  }
 }
requestMapping: 


public RequestWrapper(){
  super(null);
 }

 public RequestWrapper(HttpServletRequest httpservletrequest) {
  super(httpservletrequest);
 }

 public String[] getParameterValues(String s) {
  String str[] = super.getParameterValues(s);
  if (str == null) {
   return null;
  }
  int i = str.length;
  String as1[] = new String[i];
  for (int j = 0; j < i; j++) {
   as1[j] = cleanXSS(cleanSQLInject(str[j]));
  }

  return as1;
 }

 public String getParameter(String s) {
  String s1 = super.getParameter(s);
  if (s1 == null) {
   return null;
  } else {
   return cleanXSS(cleanSQLInject(s1));
  }
 }

 public String getHeader(String s) {
  String s1 = super.getHeader(s);
  if (s1 == null) {
   return null;
  } else {
   return cleanXSS(cleanSQLInject(s1));
  }
 }

 public String cleanXSS(String src) {
  String temp =src;

  System.out.println("xss---temp-->"+src);
    src = src.replaceAll("<", "<").replaceAll(">", ">");
    // if (src.indexOf("address")==-1)
 // {
     src = src.replaceAll("\\(", "(").replaceAll("\\)", ")");
  //}
   
    src = src.replaceAll("'", "'");
    
    Pattern pattern=Pattern.compile("(eval\\((.*)\\)|script)",Pattern.CASE_INSENSITIVE);  
   Matcher matcher=pattern.matcher(src);  
   src = matcher.replaceAll("");

   pattern=Pattern.compile("[\\\"\\'][\\s]*javascript:(.*)[\\\"\\']",Pattern.CASE_INSENSITIVE); 
   matcher=pattern.matcher(src);
   src = matcher.replaceAll("\"\"");
   
   //增加脚本 
   src = src.replaceAll("script", "").replaceAll(";", "")
    .replaceAll("\"", "").replaceAll("@", "")
    .replaceAll("0x0d", "")
    .replaceAll("0x0a", "").replaceAll(",", "");

  if(!temp.equals(src)){
   System.out.println("输入信息存在xss攻击!");
   System.out.println("原始输入信息-->"+temp);
   System.out.println("处理后信息-->"+src);
  }
  return src;
 }
 
 //需要增加通配,过滤大小写组合
 public String cleanSQLInject(String src) {
  String temp =src;
    src = src.replaceAll("insert", "forbidI")
     .replaceAll("select", "forbidS")
     .replaceAll("update", "forbidU")
     .replaceAll("delete", "forbidD")
     .replaceAll("and", "forbidA")
     .replaceAll("or", "forbidO");
    
  if(!temp.equals(src)){
   System.out.println("输入信息存在SQL攻击!");
   System.out.println("原始输入信息-->"+temp);
   System.out.println("处理后信息-->"+src);
  }
  return src;
 }
xml配置: 
<filter>
  <filter-name>XssFilter</filter-name>
  <filter-class>cn.com.jsoft.xss.XSSFilter</filter-class>
  <init-param>
   <param-name>encoding</param-name>
   <param-value>UTF-8</param-value>
  </init-param>
 </filter>
 <filter-mapping>
  <filter-name>XssFilter</filter-name>
  <url-pattern>/*</url-pattern>
 </filter-mapping>
以上代码仅仅将特殊的sql字符,特殊script脚本字符处理掉,具体的页面处理还需要后台处理!! 关于这篇java 过滤器filter防sql注入的实现代码就是小编分享给大家的全部内容了,希望能给大家一个参考,也希望大家多多支持编程素材网。
  • 全部评论(0)
上一篇:Java 的 FileFilter文件过滤与readline读行操作实例代码
下一篇:Jquery实现仿腾讯微博发表广播
关于我们 | 广告合作 | 联系我们 | 隐私条款 | 免责声明 | 网站地图

苏ICP备2024110244号-2      苏公网安备32050702011978号      增值电信业务经营许可证编号:苏B2-20251499   |  Copyright 2018 - 2025   源码网商城 (www.ymwmall.com) 版权所有

联系客服
客服电话:
400-000-3129
微信版

扫一扫进微信版
返回顶部