java filter防止sql注入攻击
原理,过滤所有请求中含有非法的字符,例如:, & < select delete 等关键字,黑客可以利用这些字符进行注入攻击,原理是后台实现使用拼接字符串,案例
某个网站的登入验证的SQL查询代码为
strSQL = "SELECT * FROM users WHERE (name = '" + userName + "') and (pw = '"+ passWord +"');"
恶意填入
userName = "' OR '1'='1";与passWord = "' OR '1'='1";时,将导致原本的SQL字符串被填为
strSQL = "SELECT * FROM users WHERE (name = '' OR '1'='1') and (pw = '' OR '1'='1');"也就是实际上运行的SQL命令会变成下面这样的
strSQL = "SELECT * FROM users;"
因此达到无帐号密码,亦可登入网站。所以SQL注入攻击被俗称为黑客的填空游戏。
实现三个步骤:
1,编写filter
2,配置xml
3,配置error.jsp
filter代码:
package com.rick.ssm.common.filter;
import java.io.IOException;
import java.util.ArrayList;import java.util.List;import java.util.Map;import java.util.Set;import javax.servlet.Filter;
import javax.servlet.FilterChain;import javax.servlet.FilterConfig;import javax.servlet.ServletException;import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;/**
* ------------------------------------------- * Title : SqlInjectFilter * Description : 防止sql注入过滤器 * Create on : 2017年8月2日 下午2:21:17 * Copyright (C) strongunion * @author RICK * @版本号: V1.0 * ------------------------------------------- */public class SqlInjectFilter implements Filter{ private static List<String> invalidsql = new ArrayList<String>(); private static String error = "/error.jsp"; private static boolean debug = false;@Override
public void init(FilterConfig filterConfig) throws ServletException { String sql = filterConfig.getInitParameter("invalidsql"); String errorpage = filterConfig.getInitParameter("error"); String de = filterConfig.getInitParameter("debug"); if(errorpage != null){ error = errorpage; } if (sql != null) { String[] sqlarr = sql.split(" "); for (String sqlword : sqlarr) { invalidsql.add(sqlword); } invalidsql.add("<"); invalidsql.add(">"); } if(de != null && Boolean.parseBoolean(de)){ debug = true; System.out.println("PreventSQLInject Filter staring..."); System.out.println("print filter details"); System.out.println("invalid words as fllows (split with blank):"); for(String s : invalidsql){ System.out.print(s + " "); } System.out.println(); System.out.println("error page as fllows"); System.out.println(error); System.out.println(); } }@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { if(debug){ System.out.println("prevent sql inject filter works"); } HttpServletRequest request = (HttpServletRequest)req; HttpServletResponse response = (HttpServletResponse)res; Map<String, String[]> params = request.getParameterMap(); Set<String> keys = params.keySet(); for(String key : keys){ String value = request.getParameter(key); if(debug){ System.out.println("process params <key, value>: <"+key+", "+value+">"); } for(String word : invalidsql){ if(word.equalsIgnoreCase(value) || value.contains(word)){ if(value.contains("<")){ value = value.replace("<", "<"); } if(value.contains(">")){ value = value.replace(">", ">"); } request.getSession().setAttribute("sqlInjectError", "您输入的参数值 \""+value+"\" 中包含关键字: \""+word+"\""); response.sendRedirect(request.getContextPath()+error); return; } } } chain.doFilter(req, res); }@Override
public void destroy() { // TODO Auto-generated method stub }}2.web.xml中添加如下配置:
PreventSqlInject cn.kepu.filter.SqlInjectFilter invalidsql select insert delete from update create destory drop alter and or like exec count chr mid master truncate char declare ; - ' % error /error.jsp debug true PreventSqlInject /*
3,在根目录下添加error.jsp
<%@ page language="java" import="java.util.*" pageEncoding="utf-8"%> <% String path = request.getContextPath(); %>防sql注入系统 这个是防sql注入系统,自动过滤您的请求,请更换请求字符串。 <%=session.getAttribute("sqlInjectError")%>