Java Web 一些特殊字符的过滤（appscan检查的安全问题）

适用于出现以下问题：

1、SQL盲注

2、存储的跨站点脚本编制 或 跨站点脚本编制

import java.io.IOException;import java.util.Enumeration;import javax.servlet.Filter;import javax.servlet.FilterChain;import javax.servlet.FilterConfig;import javax.servlet.ServletException;import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;public class AntiSqlInjectionfilter implements Filter {        public void destroy() {          // TODO Auto-generated method stub      }            public void init(FilterConfig arg0) throws ServletException {          // TODO Auto-generated method stub      }            public void doFilter(ServletRequest args0, ServletResponse args1,              FilterChain chain) throws IOException, ServletException {          HttpServletRequest req=(HttpServletRequest)args0;          HttpServletResponse res=(HttpServletResponse)args1;           //获得所有请求参数名          Enumeration params = req.getParameterNames();          String sql = "";          while (params.hasMoreElements()) {              //得到参数名              String name = params.nextElement().toString();              //System.out.println("name===========================" + name + "--");              //得到参数对应值              String[] value = req.getParameterValues(name);              for (int i = 0; i < value.length; i++) {                  sql = sql + value[i];              }          }          //System.out.println("============================SQL"+sql);          //有sql关键字，跳转到error.html          if (sqlValidate(sql)) {            throw new IOException("您发送请求中的参数中含有非法字符："+sql);              //String ip = req.getRemoteAddr();          } else {              chain.doFilter(args0,args1);          }      }            //效验      protected static boolean sqlValidate(String str) {          str = str.toLowerCase();//统一转为小写          String badStr = "'|select|update|and|or|delete|insert|truncate|char|into"        + "|substr|declare|exec|master|drop|execute|"        + "union|;|--|+|,|like|//|/|%|#|*|$|@|\"|http|cr|lf|<|>|(|)";//过滤掉的sql关键字，可以手动添加          String[] badStrs = badStr.split("\\|");          for (int i = 0; i < badStrs.length; i++) {              if (str.indexOf(badStrs[i]) >= 0) {                  return true;              }          }          return false;      }  }