灰太狼吧 發表於 2012-8-10 14:59:58

Java防止SQL注入的几个途径

<p>java防SQL注入,最简单的办法是杜绝SQL拼接,SQL注入攻击能得逞是因为在原有SQL语句中加入了新的逻辑,如果使用PreparedStatement来代替Statement来执行SQL语句,其后只是输入参数,SQL注入攻击手段将无效,这是因为PreparedStatement不允许在不同的插入时间改变查询的逻辑结构 ,大部分的SQL注入已经挡住了, 在WEB层我们可以过滤用户的输入来防止SQL注入比如用Filter来过滤全局的表单参数&nbsp;<br />01&nbsp; import java.io.IOException;&nbsp;<br />02&nbsp; import java.util.Iterator;&nbsp;<br />03&nbsp; import javax.servlet.Filter;&nbsp;<br />04&nbsp; import javax.servlet.FilterChain;&nbsp;<br />05&nbsp; import javax.servlet.FilterConfig;&nbsp;<br />06&nbsp; import javax.servlet.ServletException;&nbsp;<br />07&nbsp; import javax.servlet.ServletRequest;&nbsp;<br />08&nbsp; import javax.servlet.ServletResponse;&nbsp;<br />09&nbsp; import javax.servlet.http.HttpServletRequest;&nbsp;<br />10&nbsp; import javax.servlet.http.HttpServletResponse;&nbsp;<br />11&nbsp; /**<br />12&nbsp; * 通过Filter过滤器来防SQL注入攻击<br />13&nbsp; * </p>
<p>14&nbsp; */&nbsp;<br />15&nbsp; public class SQLFilter implements Filter {&nbsp;<br />16&nbsp; private String inj_str = &quot;'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare|; |or|-|+|,&quot;;&nbsp;<br />17&nbsp; protected FilterConfig filterConfig = null;&nbsp;<br />18&nbsp; /**<br />19&nbsp; * Should a character encoding specified by the client be ignored?<br />20&nbsp; */&nbsp;<br />21&nbsp; protected boolean ignore = true;&nbsp;<br />22&nbsp; public void init(FilterConfig config) throws ServletException {&nbsp;<br />23&nbsp; this.filterConfig = config;&nbsp;<br />24&nbsp; this.inj_str = filterConfig.getInitParameter(&quot;keywords&quot;);&nbsp;<br />25&nbsp; }&nbsp;<br />26&nbsp; public void doFilter(ServletRequest request, ServletResponse response,&nbsp;<br />27&nbsp; FilterChain chain) throws IOException, ServletException {&nbsp;<br />28&nbsp; HttpServletRequest req = (HttpServletRequest)request;&nbsp;<br />29&nbsp; HttpServletResponse res = (HttpServletResponse)response;&nbsp;<br />30&nbsp; Iterator values = req.getParameterMap().values().iterator();//获取所有的表单参数&nbsp;<br />31&nbsp; while(values.hasNext()){&nbsp;<br />32&nbsp; String[] value = (String[])values.next();&nbsp;<br />33&nbsp; for(int i = 0;i &lt; value.length;i++){&nbsp;<br />34&nbsp; if(sql_inj(value)){&nbsp;<br />35&nbsp; //TODO这里发现sql注入代码的业务逻辑代码&nbsp;<br />36&nbsp; return;&nbsp;<br />37&nbsp; }&nbsp;<br />38&nbsp; }&nbsp;<br />39&nbsp; }&nbsp;<br />40&nbsp; chain.doFilter(request, response);&nbsp;<br />41&nbsp; }&nbsp;<br />42&nbsp; public boolean sql_inj(String str)&nbsp;<br />43&nbsp; {&nbsp;<br />44&nbsp; String[] inj_stra=inj_str.split(&quot;\\|&quot;);&nbsp;<br />45&nbsp; for (int i=0 ; i &lt; inj_stra.length ; i++ )&nbsp;<br />46&nbsp; {&nbsp;<br />47&nbsp; if (str.indexOf(&quot; &quot;+inj_stra+&quot; &quot;)&gt;=0)&nbsp;<br />48&nbsp; {&nbsp;<br />49&nbsp; return true;&nbsp;<br />50&nbsp; }&nbsp;<br />51&nbsp; }&nbsp;<br />52&nbsp; return false;&nbsp;<br />53&nbsp; }&nbsp;<br />54&nbsp; }&nbsp;<br />&nbsp;<br />也可以单独在需要防范SQL注入的JavaBean的字段上过滤:&nbsp;<br />1&nbsp;&nbsp; /**<br />2&nbsp;&nbsp; * 防止sql注入<br />3&nbsp;&nbsp; *<br />4&nbsp;&nbsp; * @param sql<br />5&nbsp;&nbsp; * @return<br />6&nbsp;&nbsp; */&nbsp;<br />7&nbsp;&nbsp; public static String TransactSQLInjection(String sql) {&nbsp;<br />8&nbsp;&nbsp; return sql.replaceAll(&quot;.*([';]+|(--)+).*&quot;, &quot; &quot;);&nbsp;<br />9&nbsp;&nbsp; }&nbsp;<br /></p>
頁: [1]
查看完整版本: Java防止SQL注入的几个途径