Struts2 Interceptor to prevent SQL Injection

The SQL injection attack is successful because new logic is added to the original SQL statement.

For example, the original SQL = "select * from user where userid = '" + userid + "'";

If userid = "'or 1 = '1 ";

The concatenated SQL = "select * from user where userid ='' or 1 = '1 '";

This SQL statement can list all records in the table.

For a good programmer, writing high-quality code can prevent SQL injection.

For example, if you use preparedstatement to execute an SQL statement instead of statement, then you only enter the Parameter

The SQL injection attack method is invalid because preparedstatement does not allow you to change the logical structure of the query at different insertion times.

Most of the SQL injections are blocked.

Sometimes our SQL statements are concatenated, so if we rebuild our database operations, it will be very troublesome.

Therefore, we need to filter out invalid characters in the form.

Of course, we can use filter to verify the form submitted to servlet.

However, the struts2 framework does not seem to work.

This requires the struts2 Interceptor to implement the same function.

The Interceptor is not introduced anymore.

Now I will post the implementation code for your reference.

Illegalcharacterinterceptor. Java

Import java. util. iterator;
Import java. util. Map;
Import java. util. Map. entry;

Import com. opensymphony. xwork2.ActionContext;
Import com. opensymphony. xwork2.ActionInvocation;
Import com. opensymphony. xwork2.interceptor. AbstractInterceptor;
Import com. opensymphony. xwork2.util. ValueStack;
Import com. sun. imageio. plugins. common. I18N;

Public class IllegalCharacterInterceptor extends actinterceptor {

@ Override
Public String intercept (ActionInvocation invocation) throws Exception {
// Obtain the scheduling Action context through the core scheduler invocation
ActionContext actionContext = invocation. getInvocationContext ();
// Obtain the value stack of the Action Context
ValueStack stack = actionContext. getValueStack ();
// Obtain the Request Parameters of the context
Map valueTreeMap = actionContext. getParameters ();
// Iterator for obtaining the set of Request Parameters
Iterator iterator = valueTreeMap. entrySet (). iterator ();
// Traverse Assembly Request Parameters
While (iterator. hasNext ()){
// Obtain the iterative key-Value Pair
Entry entry = (Entry) iterator. next ();
// Obtain the key value in the key-Value Pair
String key = (String) entry. getKey ();
// Original request parameter, because one-key pair of multiple values is possible, the String []
String [] oldValues = null;
// Convert the parameter value to the String type
If (entry. getValue () instanceof String ){
OldValues = new String [] {entry. getValue (). toString ()};
} Else {
OldValues = (String []) entry. getValue ();
}
// Processed Request Parameters
String newValueStr = null;
// Filter Request Parameters
If (oldValues. length> 1 ){
NewValueStr = "{";
For (int I = 0; I <oldValues. length; I ++ ){
// Replace invalid parameters. Here, only 'is replaced. If you have other requirements, you can write a class that processes characters.
NewValueStr + = oldValues [I]. toString (). replaceAll ("'","");
If (I! = OldValues. length-1 ){
NewValueStr + = ",";
}
}
NewValueStr + = "}";
} Else if (oldValues. length = 1 ){
// Replace invalid parameters. Here, only 'is replaced. If you have other requirements, you can write a class that processes characters.
NewValueStr = oldValues [I]. toString (). replaceAll ("'","");

} Else {
NewValueStr = null;
}
// Add the processed request parameters to the value Stack
Stack. setValue (key, newValueStr );
}
String result = null;
Try {
// Call the next Interceptor. If the interceptor does not exist, execute the Action
Result = invocation. invoke ();
} Catch (Exception e ){
E. printStackTrace ();
}
Return result;
}

}

After the interceptor is written, you can use it.

Add the default Interceptor to the custom interceptor in struts. xml.

Otherwise, the default interceptor will not work.

<Interceptors>
<Interceptor name = "illegalCharacter" class = "com. ainong. interceptor. IllegalCharacterInterceptor"/>
<Interceptor-stack name = "myStack">
<Interceptor-ref name = "defaultStack"> </interceptor-ref>
<Interceptor-ref name = "illegalCharacter"> </interceptor-ref>
</Interceptor-stack>
</Interceptors>

In this way, you can use myStack to intercept

If we configure <interceptor-ref name = "myStack"/> for each Action

We can also set the interceptor stack above as the default interceptor stack, which can take effect for all actions in the package.

We do not need to configure

<Default-interceptor-ref name = "myStack"> </default-interceptor-ref>