当前位置:
java防SQL注入,最简单的办法是杜绝SQL拼接,SQL注入攻击能得逞是因为在原有SQL语句中加入了新的逻辑,如果使用PreparedStatement来代替Statement来执行SQL语句,其后只是输入参数,SQL注入攻击手段将无效,这是因为PreparedStatement不允许在不同的插入时间改变查询的逻辑结构 ,大部分的SQL注入已经挡住了, 在WEB层我们可以过滤用户的输入来防止SQL注入比如用Filter来过滤全局的表单参数
01 import ception
02 import ator
03 import er
04 import erChain
05 import erConfig
06 import letException
07 import letRequest
08 import letResponse
09 import ServletRequest
10 import ServletResponse
11 /**
12 * 通过Filter过滤器来防SQL注入攻击
13 *
14 */
15 public class SQLFilter implements Filter {
16 private String inj_str = "|and|exec|insert|select|delete|update|count|*|%
|chr|mid|master|truncate|char|declare||or|-|+|,"
17 protected FilterConfig filterConfig = null
18 /**
19 * Should a character encoding specified by the client be ignored?
20 */
21 protected boolean ignore = true
22 public void init(FilterConfig config) throws ServletException {
23 erConfig = config
24 _str = nitParameter("keywords")
25 }
26 public void doFilter(ServletRequest request, ServletResponse response,
27 FilterChain chain) throws IOException, ServletException {
28 HttpServletRequest req = (HttpServletRequest)request
29 HttpServletResponse res = (HttpServletResponse)response
30 Iterator values = arameterMap()es()ator()//获取所有的表单参数
31 while(ext()){
32 String[] value = (String[])()
33 for(int i = 0i < thi++){
34 if(sql_inj(value[i])){
35 //TODO这里发现sql注入代码的业务逻辑代码
36 return
37 }
38 }
39 }
40 lter(request, response)
41 }
42 public boolean sql_inj(String str)
43 {
44 String[] inj_stra=inj_t("|")
45 for (int i=0 i < inj_th i++ )
46 {
47 if (xOf(" "+inj_stra[i]+" ")>=0)
48 {
学习资源