SQL注入过滤器:SqlInjectFilter
@WebFilter(urlPatterns=\’/xxx/list\’)
//@WebFilter(urlPatterns=\’/*\’, filterName=\’SQLInjection\’, initParams={ @WebInitParam(name=\’regx\’, value=\'(?\’)|(?–)|(/\\\\ \\\\*(?|[\\\\\\\\n\\\\\\\\r])*?\\\\\\*/)|\’
//\'(\\\\\\\\b(select|update|and|or|delete|insert|trancate|char|into|substr|ascii|declare|exec|count|master|into|drop|execute)\\\\\\\\ b)\’) })
公共类SqlInjectFilter 实现一个过滤器{
私有静态最终记录器logger=LoggerFactory.getLogger(SqlInjectFilter.class);
私有字符串正则表达式;
@覆盖
public void init(FilterConfig filterConfig) 抛出ServletException {
//this.regx=filterConfig.getInitParameter(\’regx\’);
this.regx=\'(?\’)|(?–)|(/\\\\\\\\*(?|[\\\\\\\\n\\\\\\\\r])*?\\\\\\\\* /)|\’ +
\'(\\\\\\\\b(选择|更新|和|或|删除|插入|trancate|char|进入|substr|ascii|声明|执行|计数|主|进入|删除|执行)\\\\\\\\b) \’;
}
@覆盖
公共无效doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) 抛出IOException, ServletException {
HttpServletRequest req=(HttpServletRequest) servletRequest;
映射参数Map=servletRequest.getParameterMap();
迭代器it=parametersMap.entrySet().iterator();
while (it.hasNext()) {
Map.Entry 条目=(Map.Entry) it.next();
String[] value=(String[])entry.getValue();
for (int i=0; i value.length; i++) {
if (null !=value[i] value[i].matches(this.regx)) {
logger.error(\’您输入的参数包含无效字符,请输入有效的参数!\’);
servletRequest.setAttribute(\’err\’, \’您输入的参数包含无效字符,请输入有效的参数!\’);
servletRequest.setAttribute(\’pageUrl\’, req.getRequestURI());
servletRequest.getRequestDispatcher(servletRequest.getServletContext().getContextPath() + \’/error\’).forward(servletRequest, servletResponse);
返回;
}
}
}
filterChain.doFilter(servletRequest, servletResponse);
}
@覆盖
公共无效销毁(){}
}
以上#SQL注入漏洞修复相关内容摘自网络,仅供参考。相关信息请参见官方公告。
原创文章,作者:CSDN,如若转载,请注明出处:https://www.sudun.com/ask/93179.html
