java 过滤器filter防sql注入
来源:互联网 发布:非线性最优化基础 编辑:程序博客网 时间:2024/05/16 18:33
转自:http://blog.csdn.net/xb12369/article/details/22921629
XSSFilter.java
[java] view plaincopy
- public void doFilter(ServletRequest servletrequest,
- ServletResponse servletresponse, FilterChain filterchain)
- throws IOException, ServletException {
- //flag = true 只做URL验证; flag = false 做所有字段的验证;
- boolean flag = true;
- if(flag){
- //只对URL做xss校验
- HttpServletRequest httpServletRequest = (HttpServletRequest) servletrequest;
- HttpServletResponse httpServletResponse = (HttpServletResponse) servletresponse;
- String requesturi = httpServletRequest.getRequestURL().toString();
- requesturi = URLDecoder.decode(requesturi, "UTF-8");
- if(requesturi!=null&&requesturi.indexOf("alipay_hotel_book_return.html")!=-1){
- filterchain.doFilter(servletrequest, servletresponse);
- return;
- }
- if(requesturi!=null&&requesturi.indexOf("account_bank_return.html")!=-1){
- filterchain.doFilter(servletrequest, servletresponse);
- return;
- }
- if(requesturi!=null&&requesturi.indexOf("/alipay/activity.html")!=-1){
- filterchain.doFilter(servletrequest, servletresponse);
- return ;
- }
- if(requesturi!=null&&requesturi.indexOf("/alipayLogin.html")!=-1){
- filterchain.doFilter(servletrequest, servletresponse);
- return ;
- }
- RequestWrapper rw = new RequestWrapper(httpServletRequest);
- String param = httpServletRequest.getQueryString();
- if(!"".equals(param) && param != null) {
- param = URLDecoder.decode(param, "UTF-8");
- String originalurl = requesturi + param;
- String sqlParam = param;
- //添加sql注入的判断
- if(requesturi.endsWith("/askQuestion.html") || requesturi.endsWith("/member/answer.html")){
- sqlParam = rw.cleanSQLInject(param);
- }
- String xssParam = rw.cleanXSS(sqlParam);
- requesturi += "?"+xssParam;
- if(!xssParam.equals(param)){
- System.out.println("requesturi::::::"+requesturi);
- httpServletResponse.sendRedirect(requesturi);
- System.out.println("no entered.");
- // filterchain.doFilter(new RequestWrapper((HttpServletRequest) servletrequest), servletresponse);
- return ;
- }
- }
- filterchain.doFilter(servletrequest, servletresponse);
- }else{
- //对请求中的所有东西都做校验,包括表单。此功能校验比较严格容易屏蔽表单正常输入,使用此功能请注意。
- filterchain.doFilter(new RequestWrapper((HttpServletRequest) servletrequest), servletresponse);
- }
- }
requestMapping:
[java] view plaincopy
- public RequestWrapper(){
- super(null);
- }
- public RequestWrapper(HttpServletRequest httpservletrequest) {
- super(httpservletrequest);
- }
- public String[] getParameterValues(String s) {
- String str[] = super.getParameterValues(s);
- if (str == null) {
- return null;
- }
- int i = str.length;
- String as1[] = new String[i];
- for (int j = 0; j < i; j++) {
- as1[j] = cleanXSS(cleanSQLInject(str[j]));
- }
- return as1;
- }
- public String getParameter(String s) {
- String s1 = super.getParameter(s);
- if (s1 == null) {
- return null;
- } else {
- return cleanXSS(cleanSQLInject(s1));
- }
- }
- public String getHeader(String s) {
- String s1 = super.getHeader(s);
- if (s1 == null) {
- return null;
- } else {
- return cleanXSS(cleanSQLInject(s1));
- }
- }
- public String cleanXSS(String src) {
- String temp =src;
- System.out.println("xss---temp-->"+src);
- src = src.replaceAll("<", "<").replaceAll(">", ">");
- // if (src.indexOf("address")==-1)
- // {
- src = src.replaceAll("\\(", "(").replaceAll("\\)", ")");
- //}
- src = src.replaceAll("'", "'");
- Pattern pattern=Pattern.compile("(eval\\((.*)\\)|script)",Pattern.CASE_INSENSITIVE);
- Matcher matcher=pattern.matcher(src);
- src = matcher.replaceAll("");
- pattern=Pattern.compile("[\\\"\\'][\\s]*javascript:(.*)[\\\"\\']",Pattern.CASE_INSENSITIVE);
- matcher=pattern.matcher(src);
- src = matcher.replaceAll("\"\"");
- //增加脚本
- src = src.replaceAll("script", "").replaceAll(";", "")
- .replaceAll("\"", "").replaceAll("@", "")
- .replaceAll("0x0d", "")
- .replaceAll("0x0a", "").replaceAll(",", "");
- if(!temp.equals(src)){
- System.out.println("输入信息存在xss攻击!");
- System.out.println("原始输入信息-->"+temp);
- System.out.println("处理后信息-->"+src);
- }
- return src;
- }
- //需要增加通配,过滤大小写组合
- public String cleanSQLInject(String src) {
- String temp =src;
- src = src.replaceAll("insert", "forbidI")
- .replaceAll("select", "forbidS")
- .replaceAll("update", "forbidU")
- .replaceAll("delete", "forbidD")
- .replaceAll("and", "forbidA")
- .replaceAll("or", "forbidO");
- if(!temp.equals(src)){
- System.out.println("输入信息存在SQL攻击!");
- System.out.println("原始输入信息-->"+temp);
- System.out.println("处理后信息-->"+src);
- }
- return src;
- }
xml配置:
[html] view plaincopy
- <filter>
- <filter-name>XssFilter</filter-name>
- <filter-class>cn.com.jsoft.xss.XSSFilter</filter-class>
- <init-param>
- <param-name>encoding</param-name>
- <param-value>UTF-8</param-value>
- </init-param>
- </filter>
- <filter-mapping>
- <filter-name>XssFilter</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
以上代码仅仅将特殊的sql字符,特殊script脚本字符处理掉,具体的页面处理还需要后台处理!!
源码下载地址:http://download.csdn.net/detail/xb12369/7145235
0 0
- java 过滤器filter防sql注入
- java 过滤器filter防sql注入
- java 过滤器filter防sql注入
- servlet过滤器防xss,sql注入.filter里修改parameter参数
- 防止常见XSS 过滤 SQL注入 JAVA过滤器filter
- java 防sql注入
- JAVA防sql注入
- Java如何防sql注入
- java防sql注入详解
- java 防SQL注入正则
- Java 防SQL注入方法
- 常见web漏洞——防止常见XSS 过滤 SQL注入 JAVA过滤器filter
- Struts2学习4——防sql注入过滤器
- 过滤器(filter)注入机制
- java(or jsp)防sql注入
- 通用防SQL注入函数java版
- java(or jsp)防sql注入
- java(or jsp)防sql注入
- Android中的Selector的用法
- OpenGl学习之钢体运动
- BIND?LIVE?DELEGATE?还是ON?–JQUERY事件绑定方法研究
- Android LayoutInflater详解
- 继承于CCObject,而非CCLayer的界面的显示(注意,不是调用静态函数)
- java 过滤器filter防sql注入
- My First Blog...
- 在Linux下adb连接不上android手机的终极解决方案
- Java虚拟机(JVM)中的内存设置详解
- vs2008数据、变量和计算(1)
- 进程于线程
- readonly 和 disable的区别
- strlen源码分析
- Xcode6的新特性、iPhone6和iPhone6Plus的适配
