springmvc防止sql注入_如何避免sql注入
Hi,大家好,我是编程小6,很荣幸遇见你,我把这些年在开发过程中遇到的问题或想法写出来,今天说一说
springmvc防止sql注入_如何避免sql注入,希望能够帮助你!!!。
package org.jeecgframework.core.interceptors; import java.util.Enumeration; import java.util.List; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.log4j.Logger; import org.jeecgframework.core.common.model.json.AjaxJson; import org.jeecgframework.core.util.IpUtil; import org.jeecgframework.core.util.JSONHelper; import org.jeecgframework.core.util.ResourceUtil; import org.jeecgframework.web.cgform.common.CgAutoListConstant; import org.jeecgframework.web.system.pojo.base.TSUser; import org.springframework.web.servlet.HandlerInterceptor; import org.springframework.web.servlet.ModelAndView; /** * 防止SQL注入的拦截器 * * @author scott * @time 2018-05-21 */ public class SqlInjectInterceptor implements HandlerInterceptor {
private static final Logger logger = Logger.getLogger(SqlInjectInterceptor.class); /** * 在线开发特殊URL(需要录入SQL片段),进行特殊处理 */ private List<String> onlineOptUrls; @Override public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object arg2, Exception arg3) throws Exception {
// TODO Auto-generated method stub } @Override public void postHandle(HttpServletRequest request, HttpServletResponse response, Object arg2, ModelAndView arg3) throws Exception {
// TODO Auto-generated method stub } @Override public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object arg2) throws Exception {
//1.在线开发功能(有SQL值情况),针对数据库SQL操作,进行开发者权限控制,防止SQL注入 String requestPath = ResourceUtil.getJgAuthRequsetPath(request); if (onlineOptUrls.contains(requestPath)) {
TSUser currentUser = ResourceUtil.getSessionUser(); if(CgAutoListConstant.SYS_DEV_FLAG_0.equals(currentUser.getDevFlag())){
logger.info(" ---操作失败,当前用户未授权开发权限-------- 请求IP ---------+"+IpUtil.getIpAddr(request)); AjaxJson json = new AjaxJson(); json.setSuccess(false); json.setMsg("操作失败,当前用户未授权开发权限!!"); response.setHeader("Cache-Control", "no-store"); response.getWriter().print(JSONHelper.bean2json(json)); return false; } return true; } //2,常规业务操作(无SQL值情况), 针对数据库SQL操作,进行开发者权限控制,防止SQL注入 Enumeration<String> names = request.getParameterNames(); while(names.hasMoreElements()){
String name = names.nextElement(); String[] values = request.getParameterValues(name); for(String value: values){
//sql注入直接拦截 if(judgeSQLInject(value.toLowerCase())){
logger.info("-----------Sql注入拦截-----------name: "+name+" -------------value:"+ value); response.setContentType("text/html;charset=UTF-8"); response.getWriter().print("参数含有非法攻击字符,已禁止继续访问!"); return false; } //跨站xss清理 clearXss(value); } } return true; } /** * 判断参数是否含有攻击串 * @param value * @return */ public boolean judgeSQLInject(String value){
if(value == null || "".equals(value)){
return false; } String xssStr = "and |or |select |update |delete |drop |truncate |%20|=|--|!="; String[] xssArr = xssStr.split("\\|"); for(int i=0;i<xssArr.length;i++){
if(value.indexOf(xssArr[i])>-1){
return true; } } return false; } /** * 处理跨站xss字符转义 * * @param value * @return */ private String clearXss(String value) {
logger.debug("----before--------处理跨站xss字符转义----------"+ value); if (value == null || "".equals(value)) {
return value; } value = value.replaceAll("<", "<").replaceAll(">", ">"); value = value.replaceAll("\\(", "(").replace("\\)", ")"); value = value.replaceAll("'", "'"); value = value.replaceAll("eval\\((.*)\\)", ""); value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\""); value = value.replace("script", ""); //为了用户密码安全,禁止列表查询展示用户密码---------- value = value.replace(",password","").replace("password",""); logger.debug("----end--------处理跨站xss字符转义----------"+ value); return value; } public List<String> getOnlineOptUrls() {
return onlineOptUrls; } public void setOnlineOptUrls(List<String> onlineOptUrls) {
this.onlineOptUrls = onlineOptUrls; } } <mvc:interceptor> <mvc:mapping path="/**" /> <bean class="org.jeecgframework.core.interceptors.SqlInjectInterceptor"> <property name="onlineOptUrls"> <list> </value> </list> </property> </bean> </mvc:interceptor> 今天的分享到此就结束了,感谢您的阅读,如果确实帮到您,您可以动动手指转发给其他人。
上一篇
已是最后文章
下一篇
已是最新文章
