public class SqlProtect {
private String sqlInjectionStr =
"and|AND|exec|EXEC|insert|INSERT|select|SELECT|delete|DELETE|update|UPDATE|count|COUNT|*|%|chr|CHR|mid|MID|master|MASTER|truncate|TRUNCATE|char|CHAR|declare|DECLARE;|or '1'='1'|OR '1'='1'";
public boolean hasSqlnjectionTag(String sqlStr) {
String[] inj_stra = sqlInjectionStr.split("\\|");
for (int i = 0; i < inj_stra.length; i++) {
if (sqlStr.indexOf(inj_stra[i]) >= 0) {
return true;
}
}
return false;
}
}
url過濾器添加邏輯
//SQL注入全局防範
Enumeration<String> enuSql = req.getParameterNames();
SqlProtect sqlProtect = new SqlProtect();
while (enuSql.hasMoreElements()) {
String param = enuSql.nextElement();
String value = (String) req.getParameter(param);
if (sqlProtect.hasSqlnjectionTag(value)) {
logger.error(new StringBuffer("SQL Injection attack -- Illegal value of parameter(").append(param)
.append("): ").append(value).toString());
HttpServletResponse resp = (HttpServletResponse)response;
resp.sendError(HttpServletResponse.SC_FORBIDDEN, "sql非法輸入,您的訪問將被禁止,請檢查再試,謝謝!");
return;
}
}