public boolean bsafe(String sqlcmd)
{
String trimmed=sqlcmd.trim().toLowerCase();
String[] rows=sqlcmd.split("\n");
int rowcnt=rows.length;
String mergerows="";
for (int nrow=0;nrow<rowcnt;nrow++)
{
String thisrow=rows[nrow];
int commentIndex=thisrow.indexOf("--");
if (commentIndex>-1)
return false;
mergerows+=thisrow+" ";
}
mergerows=mergerows.toLowerCase();
if (mergerows.contains("delete from")||mergerows.contains("insert into "))
return false;
String mergedrowbak=mergerows;
do
{
int nextintoIndex=mergerows.indexOf("into ");
if (nextintoIndex==-1)
break;
mergerows=mergerows.substring(nextintoIndex);
if (mergerows.startsWith("into #")==false)
return false;
mergerows=mergerows.substring(5);
} while (mergerows.length()>0);
mergerows=mergedrowbak;
do
{
int nextintoIndex=mergerows.indexOf("update ");
if (nextintoIndex==-1)
break;
mergerows=mergerows.substring(nextintoIndex+7).trim();
int nextSpace=mergerows.indexOf(" ");
if (nextSpace>=0)
if (mergerows.indexOf(" set")==nextSpace)
return false;
} while (mergerows.length()>0);
return true;
}
公司裏做後端寫的防注入,不知防範能力如何