java prevents SQL Injection 2 (interception via the filter filter feature)

First of all, this filter interception is actually not reliable, for example, my article is the introduction of SQL injection, or the content of the comment is about SQL, it will be filtered out, and if each page through the filter, then the efficiency is very low.

If it is for SQL injection interception, it is more reliable to manually filter in the form of a method on the business layer of data access.

or use the SQL Parameter form, this is absolutely hundred-percent to decide.

For an explanation of SQL injection, refer to: http://www.cnblogs.com/EasonJim/p/6223216.html

For a tutorial on using filter filters, refer to: http://www.runoob.com/servlet/servlet-writing-filters.html

The code implemented using the filter filter is as follows:

Xml:

<!--configuration in the Web. xml File -<!--filters to prevent SQL injection -<Filter>    <Filter-name>Antisqlinjection</Filter-name>    <Filter-class>Com.tarena.dingdang.filter.AntiSqlInjectionfilter</Filter-class></Filter><filter-mapping>    <Filter-name>Antisqlinjection</Filter-name>    <Url-pattern>/*</Url-pattern></filter-mapping>

Filter

 PackageCom.jsoft.jblog.filter;Importjava.io.IOException;Importjava.util.Enumeration;ImportJavax.servlet.Filter;ImportJavax.servlet.FilterChain;ImportJavax.servlet.FilterConfig;Importjavax.servlet.ServletException;Importjavax.servlet.ServletRequest;ImportJavax.servlet.ServletResponse;Importjavax.servlet.http.HttpServletRequest; Public classAntisqlinjectionfilterImplementsFilter { Public voiddestroy () {//TODO auto-generated Method Stub    }          Public voidInit (Filterconfig arg0)throwsservletexception {//TODO auto-generated Method Stub    }          Public voidDoFilter (ServletRequest args0, Servletresponse args1, Filterchain chain)throwsIOException, servletexception {httpservletrequest req=(httpservletrequest) args0; HttpServletRequest Res=(httpservletrequest) args1; //get all request parameter namesEnumeration params =Req.getparameternames (); String SQL= "";  while(Params.hasmoreelements ()) {//get the name of the parameterString name =params.nextelement (). toString (); //System.out.println ("name===========================" + name + "--"); //get parameter corresponding valueString[] Value =req.getparametervalues (name);  for(inti = 0; i < value.length; i++) {SQL= SQL +Value[i]; }        }        //System.out.println ("============================sql" +sql); //have SQL keyword, jump to error.html        if(sqlvalidate (SQL)) {Throw NewIOException ("You send the parameter in the request contains illegal characters"); //String IP = req.getremoteaddr ();}Else{chain.dofilter (ARGS0,ARGS1); }    }         //Efficacy    protected Static Booleansqlvalidate (String str) {str= Str.tolowercase ();//Unify to lowercaseString badstr = "' |and|exec|execute|insert|select|delete|update|count|drop|*|%| chr|mid|master|truncate| "+" Char|declare|sitename|net user|xp_cmdshell|;|                Or|-|+|,|like ' |and|exec|execute|insert|create|drop| "+" table|from|grant|use|group_concat|column_name| "+                "Information_schema.columns|table_schema|union|where|select|delete|update|order|by|count|*|" + "Chr|mid|master|truncate|char|declare|or|;| -|--|+|,|like|//|/|%| #";//filter out the SQL keyword, you can manually addstring[] Badstrs = Badstr.split ("\\|");  for(inti = 0; i < badstrs.length; i++) {            if(Str.indexof (badstrs[i]) >= 0) {                return true; }        }        return false; }}

Reference: http://www.oschina.net/code/snippet_811941_14131

java prevents SQL Injection 2 (interception via the filter filter feature)