Three powerful JSP methods against SQL injection attacks

The first method uses the pre-compiled statement set, which has built-in capabilities for processing SQL injection. You only need to use its setString method to pass the value:

String SQL = "select * from users where username =? And password = ?;
PreparedStatement preState = conn. prepareStatement (SQL );
PreState. setString (1, userName );
PreState. setString (2, password );
ResultSet rs = preState.exe cuteQuery ();
...
 
The second is to replace the statements containing single quotation marks (), semicolons (;), and annotation symbols (--) with regular expressions to prevent SQL injection.
 
Example 1
Public static String TransactSQLInjection (String str)
{
Return str. replaceAll (". * ([;] + | (--) + ).*","");
}
 
UserName = TransactSQLInjection (userName );
Password = TransactSQLInjection (password );
 
String SQL = "select * from users where username =" + userName + "and password =" + password + ""
Statement sta = conn. createStatement ();
ResultSet rs = sta.exe cuteQuery (SQL );
...
 
Or Example 2
 
Package to be introduced:
Import java. util. regex .*;
 
Regular Expression:
Private String CHECKSQL = "^ (. +) \ sand \ s (. +) | (. +) \ sor (. +) \ s $ ";
 
Determine whether a match exists:
Pattern. matches (CHECKSQL, targerStr );
 
The following is a specific regular expression:
Check the Regular Expression of SQL meta-characters:
/(\ % 27) | (') | (--) | (\ % 23) | (#)/ix
Corrected the regular expression used to check SQL meta-characters:/(\ % 3D) | (=) [^] * (\ % 27) | (') | (--) | (\ % 3B) | (:)/I
Typical Regular Expression for SQL injection attacks:/w * (\ % 27) | (') (\ % 6F) | o | (\ % 4F )) (\ % 72) | r | (\ % 52)/ix
Check SQL injection. Regular Expression of the UNION query Keyword:/(\ % 27) | (') union/ix (\ % 27) | (')
Regular Expressions used to detect ms SQL Server SQL injection attacks:
/Exec (s | +) + (s | x) pw +/ix
And so on .....
 
The third is string filtering.
 
Example 1
 
SQL _inj.java is an improved anti-injection bean. After compilation, the class file is placed in the SQL _inj directory under tomcat's classes.
 
SQL _inj.java code:
========================================================== ======================================
Package SQL _inj;
 
Import java.net .*;
Import java. io .*;
Import java. SQL .*;
Import java. text .*;
Import java. lang. String;
 
Public class SQL _inj {
Public static boolean SQL _inj (String str)
{
String inj_str = "| and | exec | insert | select | delete | update | count | * | % | chr | mid | master | truncate | char | declare |; | or |-| + |, "; // you can add items here.
String [] inj_stra = inj_str.split ("\ | ");
For (int I = 0; I <inj_stra.length; I ++)
{
If (str. indexOf (inj_stra [I])> = 0)
{
Return true;
}
}
Return false;
}
}
========================================================== ======================================
 
JSP page judgment code:
========================================================== ======================================
<Jsp: useBean id = "SQL _inj" class = "SQL _inj. SQL _inj" scope = "page"/>
<%
String currenturl = request. getRequestURI () + (request. getQueryString () = null? "":("? "+ Request. getQueryString ()));
If (SQL _inj. SQL _inj (currenturl) {// determines whether the url and parameters contain the injection code. if yes, the page is redirected.
Response. sendRedirect ("/");
Return;
}
// Out. println (currenturl );
 
Example 2
 
Public static boolean SQL _inj (String str) {String inj_str = "| and | exec | insert | select | delete | update | count | * | % | chr | mid | master | truncate | char | declare |; | or |-| + |, "; String inj_stra [] = split (inj_str," | "); for (int I = 0; I <inj_stra.length; I ++) {if (str. indexOf (inj_stra [I])> = 0) {return true ;}} return false ;}
 
4. Call this function in jsp to check whether the letter contains invalid characters.
========================================================
 
Prevent SQL from URL injection:
 
SQL _inj.java code:
========================================================
 
Package SQL _inj; import java.net. *; import java. io. *; import java. SQL. *; import java. text. *; import java. lang. string; public class SQL _inj {public static boolean SQL _inj (String str) {String inj_str = "| and | exec | insert | select | delete | update | count | * | % | chr | mid | master | truncate | char | declare |; | or |-| + |, "; // you can add the String [] inj_stra = inj_str.split (" \ | "); for (int I = 0; I <inj_stra.length; I ++) {if (str. indexOf (inj_stra [I]) >=0) {return true ;}} return false ;}}
==============================================
5. JSP page judgment code:
==========================================
 
Use javascript to mask insecure characters on the client
 
Function Description: Check whether "'", "\", "/" is included "'","\","/"
Parameter description: string to be checked
Returned value: 0: 1: No
The function name is
Function check ()
{
Return 1;
Fiber DN = new Array ("'","\","/");
I = maid. length;
J = a. length;
For (ii = 0; ii <I; ii ++)
{For (jj = 0; jj <j; jj ++)
{Temp1 = a. charAt (jj );
Temp2 = maid [ii];
If (tem '; p1 = temp2)
{Return 0 ;}
}
}
Return 1;
 
}