java prevents SQL Injection 2 (interception via the filter filter feature)

Source: Internet
Author: User
Tags chr sql injection stub

First of all, this filter interception is actually not reliable, for example, my article is the introduction of SQL injection, or the content of the comment is about SQL, it will be filtered out, and if each page through the filter, then the efficiency is very low.

If it is for SQL injection interception, it is more reliable to manually filter in the form of a method on the business layer of data access.

or use the SQL Parameter form, this is absolutely hundred-percent to decide.

For an explanation of SQL injection, refer to: http://www.cnblogs.com/EasonJim/p/6223216.html

For a tutorial on using filter filters, refer to: http://www.runoob.com/servlet/servlet-writing-filters.html

The code implemented using the filter filter is as follows:

Xml:

<!--configuration in the Web. xml File -<!--filters to prevent SQL injection -<Filter>    <Filter-name>Antisqlinjection</Filter-name>    <Filter-class>Com.tarena.dingdang.filter.AntiSqlInjectionfilter</Filter-class></Filter><filter-mapping>    <Filter-name>Antisqlinjection</Filter-name>    <Url-pattern>/*</Url-pattern></filter-mapping>

Filter

 PackageCom.jsoft.jblog.filter;Importjava.io.IOException;Importjava.util.Enumeration;ImportJavax.servlet.Filter;ImportJavax.servlet.FilterChain;ImportJavax.servlet.FilterConfig;Importjavax.servlet.ServletException;Importjavax.servlet.ServletRequest;ImportJavax.servlet.ServletResponse;Importjavax.servlet.http.HttpServletRequest; Public classAntisqlinjectionfilterImplementsFilter { Public voiddestroy () {//TODO auto-generated Method Stub    }          Public voidInit (Filterconfig arg0)throwsservletexception {//TODO auto-generated Method Stub    }          Public voidDoFilter (ServletRequest args0, Servletresponse args1, Filterchain chain)throwsIOException, servletexception {httpservletrequest req=(httpservletrequest) args0; HttpServletRequest Res=(httpservletrequest) args1; //get all request parameter namesEnumeration params =Req.getparameternames (); String SQL= "";  while(Params.hasmoreelements ()) {//get the name of the parameterString name =params.nextelement (). toString (); //System.out.println ("name===========================" + name + "--"); //get parameter corresponding valueString[] Value =req.getparametervalues (name);  for(inti = 0; i < value.length; i++) {SQL= SQL +Value[i]; }        }        //System.out.println ("============================sql" +sql); //have SQL keyword, jump to error.html        if(sqlvalidate (SQL)) {Throw NewIOException ("You send the parameter in the request contains illegal characters"); //String IP = req.getremoteaddr ();}Else{chain.dofilter (ARGS0,ARGS1); }    }         //Efficacy    protected Static Booleansqlvalidate (String str) {str= Str.tolowercase ();//Unify to lowercaseString badstr = "' |and|exec|execute|insert|select|delete|update|count|drop|*|%| chr|mid|master|truncate| "+" Char|declare|sitename|net user|xp_cmdshell|;|                Or|-|+|,|like ' |and|exec|execute|insert|create|drop| "+" table|from|grant|use|group_concat|column_name| "+                "Information_schema.columns|table_schema|union|where|select|delete|update|order|by|count|*|" + "Chr|mid|master|truncate|char|declare|or|;| -|--|+|,|like|//|/|%| #";//filter out the SQL keyword, you can manually addstring[] Badstrs = Badstr.split ("\\|");  for(inti = 0; i < badstrs.length; i++) {            if(Str.indexof (badstrs[i]) >= 0) {                return true; }        }        return false; }}

Reference: http://www.oschina.net/code/snippet_811941_14131

java prevents SQL Injection 2 (interception via the filter filter feature)

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.