当前位置: 移动技术网 > IT编程>开发语言>Java > java 过滤器filter防sql注入的实现代码

java 过滤器filter防sql注入的实现代码

2019年07月22日  | 移动技术网IT编程  | 我要评论

我的财帮子,天灾巨人成就,企业标识设计

实例如下:

xssfilter.java

public void dofilter(servletrequest servletrequest,
			servletresponse servletresponse, filterchain filterchain)
			throws ioexception, servletexception {
		

		//flag = true 只做url验证; flag = false 做所有字段的验证;
		boolean flag = true;
		if(flag){
			//只对url做xss校验
			httpservletrequest httpservletrequest = (httpservletrequest) servletrequest;
			httpservletresponse httpservletresponse = (httpservletresponse) servletresponse;
			
			string requesturi = httpservletrequest.getrequesturl().tostring();
			requesturi = urldecoder.decode(requesturi, "utf-8");
			if(requesturi!=null&&requesturi.indexof("alipay_hotel_book_return.html")!=-1){
				filterchain.dofilter(servletrequest, servletresponse);
				return;
			}
			if(requesturi!=null&&requesturi.indexof("account_bank_return.html")!=-1){
				filterchain.dofilter(servletrequest, servletresponse);
				return;
			}
			if(requesturi!=null&&requesturi.indexof("/alipay/activity.html")!=-1){
				filterchain.dofilter(servletrequest, servletresponse);
				return ;
			}
			if(requesturi!=null&&requesturi.indexof("/alipaylogin.html")!=-1){
				filterchain.dofilter(servletrequest, servletresponse);
				return ;
			}
			requestwrapper rw = new requestwrapper(httpservletrequest);
			string param = httpservletrequest.getquerystring();
			if(!"".equals(param) && param != null) {
				param = urldecoder.decode(param, "utf-8");
				string originalurl = requesturi + param;
				
				string sqlparam = param;
				//添加sql注入的判断
				if(requesturi.endswith("/askquestion.html") || requesturi.endswith("/member/answer.html")){
					sqlparam = rw.cleansqlinject(param);
				}
				
				string xssparam = rw.cleanxss(sqlparam);
				requesturi += "?"+xssparam;
				
				
				if(!xssparam.equals(param)){
					system.out.println("requesturi::::::"+requesturi);
					httpservletresponse.sendredirect(requesturi);
					system.out.println("no entered.");
//					filterchain.dofilter(new requestwrapper((httpservletrequest) servletrequest), servletresponse);
					return ;
				}
			}
			filterchain.dofilter(servletrequest, servletresponse);
		}else{
			
			//对请求中的所有东西都做校验,包括表单。此功能校验比较严格容易屏蔽表单正常输入,使用此功能请注意。
			filterchain.dofilter(new requestwrapper((httpservletrequest) servletrequest), servletresponse);
		}
	}
requestmapping: 


public requestwrapper(){
		super(null);
	}

	public requestwrapper(httpservletrequest httpservletrequest) {
		super(httpservletrequest);
	}

	public string[] getparametervalues(string s) {
		string str[] = super.getparametervalues(s);
		if (str == null) {
			return null;
		}
		int i = str.length;
		string as1[] = new string[i];
		for (int j = 0; j < i; j++) {
			as1[j] = cleanxss(cleansqlinject(str[j]));
		}

		return as1;
	}

	public string getparameter(string s) {
		string s1 = super.getparameter(s);
		if (s1 == null) {
			return null;
		} else {
			return cleanxss(cleansqlinject(s1));
		}
	}

	public string getheader(string s) {
		string s1 = super.getheader(s);
		if (s1 == null) {
			return null;
		} else {
			return cleanxss(cleansqlinject(s1));
		}
	}

	public string cleanxss(string src) {
		string temp =src;

		system.out.println("xss---temp-->"+src);
    src = src.replaceall("<", "<").replaceall(">", ">");
    // if (src.indexof("address")==-1)
	//	{
     src = src.replaceall("\\(", "(").replaceall("\\)", ")");
		//}
   
    src = src.replaceall("'", "'");
    
    pattern pattern=pattern.compile("(eval\\((.*)\\)|script)",pattern.case_insensitive);  
	  matcher matcher=pattern.matcher(src);  
	  src = matcher.replaceall("");

	  pattern=pattern.compile("[\\\"\\'][\\s]*javascript:(.*)[\\\"\\']",pattern.case_insensitive); 
	  matcher=pattern.matcher(src);
	  src = matcher.replaceall("\"\"");
	  
	  //增加脚本 
	  src = src.replaceall("script", "").replaceall(";", "")
	  	.replaceall("\"", "").replaceall("@", "")
	  	.replaceall("0x0d", "")
	  	.replaceall("0x0a", "").replaceall(",", "");

		if(!temp.equals(src)){
			system.out.println("输入信息存在xss攻击!");
			system.out.println("原始输入信息-->"+temp);
			system.out.println("处理后信息-->"+src);
		}
		return src;
	}
	
	//需要增加通配,过滤大小写组合
	public string cleansqlinject(string src) {
		string temp =src;
    src = src.replaceall("insert", "forbidi")
    	.replaceall("select", "forbids")
    	.replaceall("update", "forbidu")
    	.replaceall("delete", "forbidd")
    	.replaceall("and", "forbida")
    	.replaceall("or", "forbido");
    
		if(!temp.equals(src)){
			system.out.println("输入信息存在sql攻击!");
			system.out.println("原始输入信息-->"+temp);
			system.out.println("处理后信息-->"+src);
		}
		return src;
	}

xml配置:

<filter>
		<filter-name>xssfilter</filter-name>
		<filter-class>cn.com.jsoft.xss.xssfilter</filter-class>
		<init-param>
			<param-name>encoding</param-name>
			<param-value>utf-8</param-value>
		</init-param>
	</filter>
	<filter-mapping>
		<filter-name>xssfilter</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

以上代码仅仅将特殊的sql字符,特殊script脚本字符处理掉,具体的页面处理还需要后台处理!!

关于这篇java 过滤器filter防sql注入的实现代码就是小编分享给大家的全部内容了,希望能给大家一个参考,也希望大家多多支持移动技术网。

您可能感兴趣的文章:

如对本文有疑问,请在下面进行留言讨论,广大热心网友会与你互动!! 点击进行留言回复

相关文章:

验证码:
最近更新的文章
大家感兴趣的文章
移动技术网