Java防止SQL註入的幾個途徑

點評:java防SQL註入,最簡單的辦法是杜絕SQL拼接,SQL註入攻擊能得逞是因為在原有SQL語句中加入瞭新的邏輯

java防SQL註入,最簡單的辦法是杜絕SQL拼接,SQL註入攻擊能得逞是因為在原有SQL語句中加入瞭新的邏輯,如果使用PreparedStatement來代替Statement來執行SQL語句,其後隻是輸入參數,SQL註入攻擊手段將無效,這是因為PreparedStatement不允許在不同的插入時間改變查詢的邏輯結構 ,大部分的SQL註入已經擋住瞭, 在WEB層我們可以過濾用戶的輸入來防止SQL註入比如用Filter來過濾全局的表單參數 
01  import java.io.IOException; 
02  import java.util.Iterator; 
03  import javax.servlet.Filter; 
04  import javax.servlet.FilterChain; 
05  import javax.servlet.FilterConfig; 
06  import javax.servlet.ServletException; 
07  import javax.servlet.ServletRequest; 
08  import javax.servlet.ServletResponse; 
09  import javax.servlet.http.HttpServletRequest; 
10  import javax.servlet.http.HttpServletResponse; 
11  /**
12  * 通過Filter過濾器來防SQL註入攻擊
13  *

14  */ 
15  public class SQLFilter implements Filter { 
16  private String inj_str = "’|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare|; |or|-|+|,"; 
17  protected FilterConfig filterConfig = null; 
18  /**
19  * Should a character encoding specified by the client be ignored?
20  */ 
21  protected boolean ignore = true; 
22  public void init(FilterConfig config) throws ServletException { 
23  this.filterConfig = config; 
24  this.inj_str = filterConfig.getInitParameter("keywords"); 
25  } 
26  public void doFilter(ServletRequest request, ServletResponse response, 
27  FilterChain chain) throws IOException, ServletException { 
28  HttpServletRequest req = (HttpServletRequest)request; 
29  HttpServletResponse res = (HttpServletResponse)response; 
30  Iterator values = req.getParameterMap().values().iterator();//獲取所有的表單參數 
31  while(values.hasNext()){ 
32  String[] value = (String[])values.next(); 
33  for(int i = 0;i < value.length;i++){ 
34  if(sql_inj(value[i])){ 
35  //TODO這裡發現sql註入代碼的業務邏輯代碼 
36  return; 
37  } 
38  } 
39  } 
40  chain.doFilter(request, response); 
41  } 
42  public boolean sql_inj(String str) 
43  { 
44  String[] inj_stra=inj_str.split("\\|"); 
45  for (int i=0 ; i < inj_stra.length ; i++ ) 
46  { 
47  if (str.indexOf(" "+inj_stra[i]+" ")>=0) 
48  { 
49  return true; 
50  } 
51  } 
52  return false; 
53  } 
54  } 
 
也可以單獨在需要防范SQL註入的JavaBean的字段上過濾: 
1   /**
2   * 防止sql註入
3   *
4   * @param sql
5   * @return
6   */ 
7   public static String TransactSQLInjection(String sql) { 
8   return sql.replaceAll(".*([‘;]+|(–)+).*", " "); 
9   } 

Leave a Reply

Your email address will not be published. Required fields are marked *