In Apache Commons-lang (more than 2.3), we have provided a handy tool class for escaping, mainly to prevent SQL injection, the function of XSS injection attack. In total, the following methods are available:
1.ESCAPESQL provides SQL transfer capabilities to prevent SQL injection attacks, such as typical universal password attacks ' or 1=1 '
- StringBuffer sql = new StringBuffer ("Select Key_sn,remark,create_date from Tb_selogon_key where 1=1");
- if (! Commutil.isempty (KeyWord)) {
- Sql.append ("and like '%" + stringescapeutils.escapesql (KeyWord) + "% '");
- }
StringBuffer sql = new StringBuffer ("Select Key_sn,remark,create_date from Tb_selogon_key where 1=1"); Commutil.isempty (KeyWord)) {Sql.append ("and like '%" + stringescapeutils.escapesql (keyWord) + "% '");}
2.escapehtml/unescapehtml Escape/Invert semantic HTML script
- System. out.println (stringescapeutils.escapehtml ("<a>dddd</a>"));
- Output is:<a>dddd</a>
System.out.println (stringescapeutils.escapehtml ("<a>dddd</a>")); Output is:<a>dddd</a>
- System. out.println (stringescapeutils.unescapehtml ("<a>dddd</a>"));
- Output is:<a>ddd</a>
System.out.println (stringescapeutils.unescapehtml ("<a>dddd</a>")); Output is:<a>ddd</a>
3.escapejavascript/unescapejavascript Escape/Invert Semantic JS script
- System. out.println (Stringescapeutils.escapejavascript ("<script>alert (' 1111 ') </script>");
- Output: <script>alert (' 111 ') </script>
System.out.println (Stringescapeutils.escapejavascript ("<script>alert (' 1111 ') </script>"); Output: <script>alert (' 111 ') </script>
4.escapejava/unescapejava Converting a string to Unicode encoding
- System. out.println (Stringescapeutils.escapejava ("China"));
- The output is: the string after escaping with the Escapejava method is:/u4e2d/u56fd/u5171/u4ea7/u515a
Commons-lang Common Tool Class Stringescapeutils