JAVA拦截器拦截SQL注入(所有参数)

import java.io.IOException;

import java.util.Enumeration;

import java.util.HashMap;

import java.util.Map;

import javax.servlet.Filter;

import javax.servlet.FilterChain;

import javax.servlet.FilterConfig;

import javax.servlet.ServletException;

import javax.servlet.ServletRequest;

import javax.servlet.ServletResponse;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

import javax.servlet.http.HttpSession;

import org.slf4j.Logger;

import org.slf4j.LoggerFactory;

import org.springframework.web.context.support.SpringBeanAutowiringSupport;

import com.gsww.jzfp.util.JsonParser;

import com.gsww.jzfp.util.StringHelper;

public class ParameterFilter implements Filter {

private Logger log = LoggerFactory.getLogger(getClass());

public void init(FilterConfig filterConfig) throws ServletException {

log.info("Initializing filter 'ParameterFilter'");

SpringBeanAutowiringSupport.processInjectionBasedOnServletContext(this,filterConfig.getServletContext());

}

public void doFilter(ServletRequest request, ServletResponse response,

FilterChain chain) throws IOException, ServletException {

HttpSession session = ((HttpServletRequest) request).getSession();

HttpServletRequest _request = (HttpServletRequest) request;

String path = _request.getServletPath();

HttpServletRequest req=(HttpServletRequest)request;

HttpServletResponse res=(HttpServletResponse)response;

//获得所有请求参数名

Enumeration params = req.getParameterNames();

String ctxpath = req.getContextPath();

String sql = "";

while (params.hasMoreElements()) {

//得到参数名

String name = params.nextElement().toString();

// System.out.println("name===========================" + name + "--");

//得到参数对应值

String[] value = req.getParameterValues(name);

for (int i = 0; i < value.length; i++) {

// System.out.println("value===========================" + value[i] + "--");

sql = sql + value[i];

}

}

// System.out.println(sql);

// sql = StringHelper.characterWord(sql);

// sql = StringHelper.escapeExprSpecialWord(sql);

if (this.isSQLOrScript(sql)) {

//if(!this.isAjax(req)){

log.debug("传入的参数存在非法字符!");

this.dispatchLoginPage(request, response, "参数存在非法字符!");

//}else{

// this.initContentResponse(res);

// res.setContentType("application/json;charset=utf-8");

// res.setStatus(404);

//}

} else {

chain.doFilter(request, response);

}

// chain.doFilter(request, response);

}

public void destroy() {

}

/**

*

* @Title: dispat

chLoginPage

* @Description: 跳转到登录页面并提示信息

* @return String 返回类型

*/

private void dispatchLoginPage(ServletRequest request,ServletResponse response,String msg){

String url = request.getServletContext().getContextPath()+"/login.jsp";

this.responseScript(response,"alert('"+msg+"');top.location.href='"+url+"';");

}

/**

* @description 初始化响应reponse的信息,对于非跳转响应

* @return void

* @throws 初始化失败

*/

private void initContentResponse(HttpServletResponse response) {

// 设置响应不缓存

response.setHeader("Cache-Control", "no-cache");

// 设置响应和请求都不缓存

response.setHeader("Cache-Control", "no-store");

// 设置文档的过期时间,而不缓存它

response.setDateHeader("Expires", 0);

response.setHeader("Pragma", "no-cache");

response.setCharacterEncoding("UTF-8");

}

/**

* 判断是否SQL注入

* @param fileExt

* @return

*/

private static boolean isSQLOrScript(String str){

str = str.toLowerCase();//统一转为小写

String badStr = "net user|xp_cmdshell|/add|exec master.dbo.xp_cmdshell|" +

"net localgroup administrators|select|count|asc|mid|insert|" +

"delete from|drop table|update|truncate|" +

"from|%|javascript|script|";

String inj_stra[] = badStr.split("\\|");

for (int i=0 ; i <inj_stra.length ; i++ ){

if (str.indexOf(inj_stra[i])>=0){

return true;

}

}

return false;

}

}

Java免费学习资料直播公开课加老师QQ578024144