Java防止SQL流入的方法
Java防止SQL注入的方法
java 防SQL注入 ,最简单的办法是杜绝SQL拼接,SQL注入攻击能得逞是因为在原有SQL语句中加入了新的逻辑,如果使用PreparedStatement 来代替Statement来 执行SQL语句,其后只是输入参数,SQL注入攻击手段将无效,这是因为PreparedStatement不允许在不同的插入时间改变查询的逻辑结构 , 大部分的SQL注入已经挡住了, 在WEB层我们可以过滤用户的输入来防止SQL注入 比如用Filter来过滤全局的表单参数
01
|
import
java.io.IOException;
|
02
|
import
java.util.Iterator;
|
03
|
import
javax.servlet.Filter;
|
04
|
import
javax.servlet.FilterChain;
|
05
|
import
javax.servlet.FilterConfig;
|
06
|
import
javax.servlet.ServletException;
|
07
|
import
javax.servlet.ServletRequest;
|
08
|
import
javax.servlet.ServletResponse;
|
09
|
import
javax.servlet.http.HttpServletRequest;
|
10
|
import
javax.servlet.http.HttpServletResponse;
|
11
|
/**
|
12
|
* 通过Filter过滤器来防SQL注入攻击
|
13
|
*
|
14
|
*/
|
15
|
public
class
SQLFilter
implements
Filter {
|
16
|
private
String inj_str =
"'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare|; |or|-|+|,"
;
|
17
|
protected
FilterConfig filterConfig =
null
;
|
18
|
/**
|
19
|
* Should a character encoding specified by the client be ignored?
|
20
|
*/
|
21
|
protected
boolean
ignore =
true
;
|
22
|
public
void
init(FilterConfig config)
throws
ServletException {
|
23
|
this
.filterConfig = config;
|
24
|
this
.inj_str = filterConfig.getInitParameter(
"keywords"
);
|
25
|
}
|
26
|
public
void
doFilter(ServletRequest request, ServletResponse response,
|
27
|
FilterChain chain)
throws
IOException, ServletException {
|
28
|
HttpServletRequest req = (HttpServletRequest)request;
|
29
|
HttpServletResponse res = (HttpServletResponse)response;
|
30
|
Iterator values = req.getParameterMap().values().iterator();
//获取所有的表单参数
|
31
|
while
(values.hasNext()){
|
32
|
String[] value = (String[])values.next();
|
33
|
for
(
int
i =
0
;i < value.length;i++){
|
34
|
if
(sql_inj(value[i])){
|
35
|
//TODO这里发现sql注入代码的业务逻辑代码
|
36
|
return
;
|
37
|
}
|
38
|
}
|
39
|
}
|
40
|
chain.doFilter(request, response);
|
41
|
}
|
42
|
public
boolean
sql_inj(String str)
|
43
|
{
|
44
|
String[] inj_stra=inj_str.split(
"\\|"
);
|
45
|
for
(
int
i=
0
; i < inj_stra.length ; i++ )
|
46
|
{
|
47
|
if
(str.indexOf(
" "
+inj_stra[i]+
" "
)>=
0
)
|
48
|
{
|
49
|
return
true
;
|
50
|
}
|
51
|
}
|
52
|
return
false
;
|
53
|
}
|
54
|
}
|
也可以单独在需要防范SQL注入 的JavaBean的字段上过滤:
1
|
/**
|
2
|
* 防止sql注入
|
3
|
*
|
4
|
* @param sql
|
5
|
* @return
|
6
|
*/
|
7
|
public
static
String TransactSQLInjection(String sql) {
|
8
|
return
sql.replaceAll(
".*([';]+|(--)+).*"
,
" "
);
|
9
|
}
|
引自:http://www.popo4j.com/article/Java-SQL-injection.html