Java filter prevents SQL injection attacks

Principle: filter all requests that contain illegal characters, such as:, & <select delete and other keywords. Hackers can exploit these characters to inject attacks. The principle is to use concatenated strings in the background. Example:

The SQL query code for login verification of a website is

StrSQL = "SELECT * FROM users WHERE (name = '" + userName + "') and (pw = '" + passWord + "');"

Malicious Filling

UserName = "'OR '1' = '1"; with passWord = "' OR '1' = '1";, the original SQL string is entered

StrSQL = "SELECT * FROM users WHERE (name ='' OR '1' = '1') and (pw = ''OR '1' = '1 ');"

That is, the actual running SQL command will become the following:

StrSQL = "SELECT * FROM users ;"

Therefore, you can log on to the website without an account or password. Therefore, SQL injection attacks are commonly known as hacking.

Perform the following three steps:

1. Compile the filter

2. Configure xml

3. Configure error. jsp

Filter code;

Package cn. kepu. filter;
 
Import java. io. IOException;
Import java. util. ArrayList;
Import java. util. Arrays;
Import java. util. List;
Import java. util. Map;
Import java. util. Set;
 
Import javax. servlet. Filter;
Import javax. servlet. FilterChain;
Import javax. servlet. FilterConfig;
Import javax. servlet. ServletException;
Import javax. servlet. ServletRequest;
Import javax. servlet. ServletResponse;
Import javax. servlet. http. HttpServletRequest;
Import javax. servlet. http. HttpServletResponse;
/**
* Prevent SQL injection and customize filter www.2cto.com
* Cn. kepu. filter. SqlInjectFilter. java
* @ Author ffr
* Created at 2012-7-12
*/
Public class SqlInjectFilter implements Filter {

Private static List <String> invalidsql = new ArrayList <String> ();
Private static String error = "/error. jsp ";
Private static boolean debug = false;

Public void destroy (){

}
Public void doFilter (ServletRequest req, ServletResponse res,
FilterChain fc) throws IOException, ServletException {
If (debug ){
System. out. println ("prevent SQL inject filter works ");
}
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
Map <String, String> params = request. getParameterMap ();
Set <String> keys = params. keySet ();
For (String key: keys ){
String value = request. getParameter (key );
If (debug ){
System. out. println ("process params <key, value >:<" + key + "," + value + "> ");
}
For (String word: invalidsql ){
If (word. equalsIgnoreCase (value) | value. contains (word )){
If (value. contains ("<")){
Value = value. replace ("<", "<");
}
If (value. contains ("> ")){
Value = value. replace (">", "> ");
}
Request. getSession (). setAttribute ("sqlInjectError", "the request parameter \" "+ value +" \ "contains keyword: \" "+ word + "\"");
Response. sendRedirect (request. getContextPath () + error );
Return;
}
}
}
Fc. doFilter (req, res );
}
Public void init (FilterConfig conf) throws ServletException {
String SQL = conf. getInitParameter ("invalidsql ");
String errorpage = conf. getInitParameter ("error ");
String de = conf. getInitParameter ("debug ");
If (errorpage! = Null ){
Error = errorpage;
}
If (SQL! = Null ){
Invalidsql = Arrays. asList (SQL. split (""));
}
If (de! = Null & Boolean. parseBoolean (de )){
Debug = true;
System. out. println ("PreventSQLInject Filter staring ...");
System. out. println ("print filter details ");
System. out. println ("invalid words as fllows (split with blank ):");
For (String s: invalidsql ){
System. out. print (s + "");
}
System. out. println ();
System. out. println ("error page as fllows ");
System. out. println (error );
System. out. println ();
}
}
}
2. Add the following configuration in web. xml:

[Html]
<Filter>
<Filter-name> PreventSqlInject </filter-name>
<Filter-class> cn. kepu. filter. SqlInjectFilter </filter-class>
<! -- Filter word, split with blank -->
<Init-param>
<Param-name> invalidsql </param-name>
<Param-value> select insert delete from update create destory drop alter and or like exec count chr mid master truncate char declare;-'% <> </param-value>
</Init-param>
<! -- Error page -->
<Init-param>
<Param-name> error </param-name>
<Param-value>/error. jsp </param-value>
</Init-param>
<! -- Debug -->
<Init-param>
<Param-name> debug </param-name>
<Param-value> true </param-value>
</Init-param>
</Filter>
<Filter-mapping>
<Filter-name> PreventSqlInject </filter-name>
<Url-pattern>/* </url-pattern>
</Filter-mapping>

3. add error. jsp in the root directory.
[Plain]
<% @ Page language = "java" import = "java. util. *" pageEncoding = "UTF-8" %>
<%
String path = request. getContextPath ();
%>
<! Doctype html public "-// W3C // dtd html 4.01 Transitional // EN">
<Html>
<Head>
<Title> SQL Injection Prevention System </title>
</Head>

<Body>
This is an anti-SQL injection system that automatically filters your requests. Please replace the request string.
<% = Session. getAttribute ("sqlInjectError") %>
<P> <a href = "<% = path %>"> click here to return </a> </p>
</Body>
</Html>
Author: fufengrui