String escape in "Javaweb" background, remember to avoid SQL injection before storing the string.

Source: Internet
Author: User
Tags html tags

The way to escape the contents of the form's input box must be escaped by "JavaScript", which causes the Web page to crash and the display method that involves the escape character (click the Open link) before referring to a form, but in fact the escape of this string should be done in the background. This can also effectively prevent SQL injection problems.

What is the so-called SQL injection? For example, you do a login function or something. You have to put the user name according to user input, query the password stored in the database, and then match the password is not?

The SELECT statement generally writes the Select Username,password from UserInfo table where username= passes the arguments.

Well, if the user enters A;drop database in their login name at this time, or a or 1=1, then you can delete your data, or you can log in any situation, or you can cause your tomcat to crash with abnormal information.

At the same time, if you do not escape, the storage, even if the user is a good input, can also lead to the destruction of your Web page.

For example, the user is only in the input box, the input content has <input type= "text"/> and so on, you again in the database query out, it will cause you to display <input type= "text"/> This part, into an input box. It's still a trifle. If some of the ulterior motives of the user, constructs a <form action= "xx"/> form, is sufficient to cause the cross-site attack.

Therefore, we must escape the display for some data that should not exist.

Here, "JavaScript" some characters do not escape can cause the Web page crashes and involve the escape character display method (click Open link), with the method described below, with one can be, or the method of multiple character escapes conflict,< to & lt; and you turn into & Amp lt; Then the user sees is & lt; , very confusing. Also note that the "JQuery" Web page Text Format Editor xheditor (click the Open link) This editor, the submission form will automatically help you to complete the escape. In short, the final meaning is, for those with the editor of the text box, you encode how many times, you should decode how many times. For those single-line text boxes, we only need to encode, not to decode, because we presume it has no format!

Note: The following code & are used full-width, should use half-width, but the half-width of the & will be csdn swallowed , visible csdn have been to these symbols processing good to dare to look at the site!

At the same time, it should be noted that some symbols in the ReplaceAll method, after all, replaceall the first parameter is filled with regular expressions, some symbols will conflict with the regular expression.

public class Encodedecodeutil {/* * All text boxes must be HTMLEncode and then put into storage (anti-SQL injection) * All displayed, if a single-line text box does not need to go through the HtmlDecode * Definition: The contents of a single line text box are not formatted content presumption: All in a single-line text box input HTML tags are bad behavior * The contents of a multiline text box with an editor should be htmldecode to preserve its native format * Notice that the script has been forcefully escaped and is no longer decode restored, so what if you have a format? */public static string HtmlEncode (string html) {if (html! = null) {//Necessary return Html.replaceall ("&", "&"). ReplaceAll ("<", "<"). ReplaceAll (">", ">"). ReplaceAll ("\" "," ""). ReplaceAll ("", " ") Some of the half-width symbols that may be problematic, or to be escaped. , the +, *, |, \, and other symbols have different meanings in the regular expression. To be written like \\,\\+. ReplaceAll ("[+]", "+"). ReplaceAll ("-", "-")/\ is the most special, sensitive to the regular expression is also for the Java string sensitivity, its notation in replace is \\\.replaceall ("\\\\", "\"). ReplaceAll ("/", "/"). ReplaceAll ("[*]", "*"). ReplaceAll (":", ":"). ReplaceAll ("[?]", "? "). ReplaceAll (" [|] "," | ")//not necessary, but still escaped. ReplaceAll (" ¢ "," ¢ "). ReplaceAll ("£", "£"). ReplaceAll ("¥", "¥"). ReplaceAll ("§", "§"). ReplaceAll ("©", "©"). ReplaceAll ("®", "®"). ReplaceAll ("x", "×"). ReplaceAll ("÷", "÷");} else {//Avoid control of incoming error, if NULL value is encountered, first replace with an emptyLattice//is primarily to prevent form validation when some browsers do not get the value of some items of the form return "" because of compatibility issues;} Here with the HTMLEncode into an axisymmetric! As assembly language, the variables of the stack into the stack of each other to protect the scene like//write me very painful, hand it back to the public static string HtmlDecode (string html) {if (html! = NULL) {return HTML. ReplaceAll ("÷", "÷"). ReplaceAll ("×", "X"). ReplaceAll ("®", "®"). ReplaceAll ("©", "©"). ReplaceAll ("§", "§"). ReplaceAll ("¥", "¥"). ReplaceAll ("£", "£"). ReplaceAll ("¢", "¢")//"not necessary, But let's escape the section. ReplaceAll ("|", "|"). ReplaceAll ("? ", "?") In replace, the first position is written as [*], and in the second position it is not necessary to write//Because this is not a regular expression. ReplaceAll (":", ":"). ReplaceAll ("*", "*"). ReplaceAll ("/", "/") . ReplaceAll ("\", "\ \"). ReplaceAll ("-", "-"). ReplaceAll ("+", "+")//"Some of the half-width symbols that may be problematic, or to be escaped." Section. ReplaceAll (" ", ""). ReplaceAll ("" "," \ ""). ReplaceAll (">", ">"). ReplaceAll ("<", "<"). ReplaceAll ("&", "&");. ReplaceAll ("<script", "<script")//"necessary" section} else {return null;}}}

At this point, again to review the article at the beginning of the question, if the user in the input box input A;drop database, or a or 1=1, and so on, before executing the database query, this character early into a;drop& nbsp;database.

There is no more SQL injection problem. And some of the normal input of English, Chinese characters are absolutely no problem. After encode and decode or the original look!

String escape in "Javaweb" background, remember to avoid SQL injection before storing the string.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.