JSP uses filters to prevent SQL injection

What is a SQL injection attack? Quote Baidu Encyclopedia's explanation:

SQL Injection _ Baidu Encyclopedia:

SQL injection, by inserting a SQL command into a Web form to submit or entering a query string for a domain name or page request, eventually achieves a malicious SQL command that deceives the server. Specifically, it is the ability to inject (malicious) SQL commands into the background database engine execution using existing applications, which can be obtained by entering (malicious) SQL statements in a Web form to a database on a Web site that has a security vulnerability, rather than executing the SQL statement as the designer intended. [1] For example, many of the previous film and television sites leaked VIP membership password is mostly through the Web form to submit query characters, such forms are particularly vulnerable to SQL injection attacks.

The SQL injection attack refers to the introduction of a special input as a parameter to the Web application, which is mostly a combination of SQL syntax, the execution of SQL statements to perform the actions of the attacker, the main reason is that the program does not carefully filter the user input data, resulting in illegal data intrusion system.

Filter function:

It allows the user to change a request and modify a response. Filter is not a servlet, it cannot produce a response, it can

Preprocess the request before a request arrives at the servlet, or you can handle response when you leave the servlet.

In other words, filter is actually a "servlet chaining" (servlet chain). Therefore, any request sent by the user must be processed by the filter, we will be in the filter processing the user request contains the sensitive keyword, and then replace or let the page go to the error page to prompt the user, so that it can be very good anti-SQL injection.

Specific implementation code:

/yourproject/src/com/sqlfilter.java

1  Packagecom;2 Importjava.io.IOException; 3 Importjava.util.Enumeration; 4 ImportJavax.servlet.Filter; 5 ImportJavax.servlet.FilterChain; 6 ImportJavax.servlet.FilterConfig; 7 Importjavax.servlet.ServletException; 8 Importjavax.servlet.ServletRequest; 9 ImportJavax.servlet.ServletResponse; Ten Importjavax.servlet.http.HttpServletRequest;  One ImportJavax.servlet.http.HttpServletResponse;  A    - //filter for filtering SQL keywords -  Public classSqlfilterImplementsFilter { the    -      Public voidDoFilter (ServletRequest request, servletresponse response, Filterchain chain)throwsIOException, servletexception { -    -HttpServletRequest req =(httpservletrequest) request;  +HttpServletResponse res =(httpservletresponse) response;  -         //get all request parameter names +Enumeration params =Req.getparameternames ();  A    atString sql = "";  -          while(Params.hasmoreelements ()) { -             //get the name of the parameter -String name =params.nextelement (). toString ();  -             //System.out.println ("name===========================" + name + "--");  -             //get parameter corresponding value inString[] Value =req.getparametervalues (name);  -              for(inti = 0; i < value.length; i++) {   tosql = SQL +Value[i];  +             }   -         }   theSystem.out.println ("Matched string:" +SQL);  *         if(sqlvalidate (SQL)) { $Res.sendredirect ("error.jsp"); Panax Notoginseng}Else {   - Chain.dofilter (req, res);  the         }   +     }   A    the     //Efficacy +     protected Static Booleansqlvalidate (String str) { -str = Str.tolowercase ();//Unify to lowercase $         //String badstr = "And|exec"; $String badstr = "' |and|exec|execute|insert|select|delete|update|count|drop|chr|mid|master|truncate|char|declare| Sitename|net User|xp_cmdshell|or|like ";  -         /*String badstr = "' |and|exec|execute|insert|create|drop|table|from|grant|use|group_concat|column_name|" + - "information_schema.columns|table_schema|union|where|select|delete|update|order|by|count|*|" + the "chr|mid|master|truncate|char|declare|or|;| -|--|+|,|like|//|/|%|    #"; */    //filter out the SQL keyword, you can manually add -string[] Badstrs = Badstr.split ("\\|"); Wuyi          for(inti = 0; i < badstrs.length; i++) { the             if(Str.indexof (badstrs[i])!=-1) {  -System.out.println ("Match to:" +badstrs[i]); Wu                 return true;  -             }   About         }   $         return false;  -     }   -    -      Public voidInit (Filterconfig filterconfig)throwsservletexception { A         //throw new Unsupportedoperationexception ("not supported yet.");  +     }   the    -      Public voiddestroy () { $         //throw new Unsupportedoperationexception ("not supported yet.");  the     }   the}

/yourproject/webcontent/web-inf/web.xml (filter add filter configuration in Web. xml):

<!--SQL Filter -     <Filter>        <Filter-name>Sqlfilter</Filter-name>        <Filter-class>Com. Sqlfilter</Filter-class>    </Filter>    <filter-mapping>        <Filter-name>Sqlfilter</Filter-name>        <Url-pattern>/*</Url-pattern>    </filter-mapping>

/yourproject/webcontent/error.jsp (detected a page that the SQL keyword jumps to):

<%@ Page Language="Java"ContentType="text/html; Charset=utf-8"pageencoding="Utf-8"%><!DOCTYPE HTML PUBLIC "-//w3c//dtd HTML 4.01 transitional//en" "Http://www.w3.org/TR/html4/loose.dtd "><HTML><Head><Metahttp-equiv= "Content-type"content= "text/html; charset=utf-8"><title>Error</title></Head><Body><DivAlign= "Center"><BR><h4>Illegal input</h4><P><inputtype= "button"name= "Back"value= "Back"onclick= "Javascript:history.go ( -1);"/></Div></Body></HTML>

Adding the above filter to your project can effectively prevent SQL injection.

Similarly, we can use filters to implement the masking function of sensitive words, using and preventing SQL injection similar, explore by ourselves!

I'm a split line.

More steps to prevent SQL injection:

1. Strict restriction and filtering of input
2. Valid IP qualification for some applications, such as database connections
3. Minimizing system calls in CGI programs
4. Pre-scan the system using the Web scanner
5. Download SQL Universal Anti-injection System program, use <!--# include file= "xxx.asp"-> to prevent manual injection testing (for ASP Web pages) in the header of the page that needs to be prevented from being injected
6. Set up a trap account: Set two accounts, one is the normal administrator account, one is anti-injection account. The anti-injection account set up much like the administrator, such as admin, to create the illusion of attracting software detection, and password is greater than the Chinese characters above the word, forcing the software to analyze the account when the full load state or even the depletion of resources and the crash.

 

JSP uses filters to prevent SQL injection