欢迎来到福编程网,本站提供各种互联网专业知识!

Java防止SQL注入的几个途径

发布时间:1970-01-01 作者:佚名 来源:互联网
java防SQL注入,最简单的办法是杜绝SQL拼接,SQL注入攻击能得逞是因为在原有SQL语句中加入了新的逻辑

java防SQL注入,最简单的办法是杜绝SQL拼接,SQL注入攻击能得逞是因为在原有SQL语句中加入了新的逻辑,如果使用PreparedStatement来代替Statement来执行SQL语句,其后只是输入参数,SQL注入攻击手段将无效,这是因为PreparedStatement不允许在不同的插入时间改变查询的逻辑结构 ,大部分的SQL注入已经挡住了, 在WEB层我们可以过滤用户的输入来防止SQL注入比如用Filter来过滤全局的表单参数

01 import java.io.IOException;

02 import java.util.Iterator;

03 import javax.servlet.Filter;

04 import javax.servlet.FilterChain;

05 import javax.servlet.FilterConfig;

06 import javax.servlet.ServletException;

07 import javax.servlet.ServletRequest;

08 import javax.servlet.ServletResponse;

09 import javax.servlet.http.HttpServletRequest;

10 import javax.servlet.http.HttpServletResponse;

11 /**

12 * 通过Filter过滤器来防SQL注入攻击

13 *

14 */

15 public class SQLFilter implements Filter {

16 private String inj_str = "'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare|; |or|-|+|,";

17 protected FilterConfig filterConfig = null;

18 /**

19 * Should a character encoding specified by the client be ignored?

20 */

21 protected boolean ignore = true;

22 public void init(FilterConfig config) throws ServletException {

23 this.filterConfig = config;

24 this.inj_str = filterConfig.getInitParameter("keywords");

25 }

26 public void doFilter(ServletRequest request, ServletResponse response,

27 FilterChain chain) throws IOException, ServletException {

28 HttpServletRequest req = (HttpServletRequest)request;

29 HttpServletResponse res = (HttpServletResponse)response;

30 Iterator values = req.getParameterMap().values().iterator();//获取所有的表单参数

31 while(values.hasNext()){

32 String[] value = (String[])values.next();

33 for(int i = 0;i < value.length;i++){

34 if(sql_inj(value[i])){

35 //TODO这里发现sql注入代码的业务逻辑代码

36 return;

37 }

38 }

39 }

40 chain.doFilter(request, response);

41 }

42 public boolean sql_inj(String str)

43 {

44 String[] inj_stra=inj_str.split("|");

45 for (int i=0 ; i < inj_stra.length ; i++ )

46 {

47 if (str.indexOf(" "+inj_stra[i]+" ")>=0)

48 {

49 return true;

50 }

51 }

52 return false;

53 }

54 }

也可以单独在需要防范SQL注入的JavaBean的字段上过滤:

1 /**

2 * 防止sql注入

3 *

4 * @param sql

5 * @return

6 */

7 public static String TransactSQLInjection(String sql) {

8 return sql.replaceAll(".*([';]+|(--)+).*", " ");

9 }

相关推荐