过滤特殊、不合法字符 防止sql注入

1.工具类

public class StringFilterUtil {
	// 过滤特殊字符  
    public static String StringFilter(String   str){     
      String regEx="[`~!@#$%^&*()+=|{}':;',\\[\\].<>/?~!@#¥%……&*()——+|{}【】‘;:”“’。,、?]";  
      Pattern   p   =   Pattern.compile(regEx);     
      Matcher   m   =   p.matcher(str);     
      return   m.replaceAll("").trim();
    }
    // 过滤特殊字符 防止sql注入
    public static boolean sql_inj(String str){
        boolean flage = false;
        String inj_str = "union!#!'!and!exec!insert!select!delete!update!count!%!chr!mid!master!truncate!char!declare!;!or!-!+";
        String inj_stra[] = inj_str.split("!");
        for (int i=0 ; i < inj_stra.length ; i++ ){
            if (str.indexOf(inj_stra[i])>=0){
                flage = true;
                break;
            }
        }
        return flage;
    }

}

2.后端对用户输入的参数进行过滤

		Grid<CustomerOrderModel> order=new Grid<CustomerOrderModel>();
		boolean a = StringFilterUtil.sql_inj(null == orderPage.getCUST_NO()?"":orderPage.getCUST_NO());
		boolean b = StringFilterUtil.sql_inj(null == orderPage.getORDER_NO()?"":orderPage.getORDER_NO());
		boolean c = StringFilterUtil.sql_inj(null == orderPage.getREVERSE_ORDER_NO()?"":orderPage.getREVERSE_ORDER_NO());
		boolean d = StringFilterUtil.sql_inj(null == orderPage.getTRANS_NO()?"":orderPage.getTRANS_NO());
		boolean e = StringFilterUtil.sql_inj(null == orderPage.getSELLER_NO()?"":orderPage.getSELLER_NO());
		boolean f = StringFilterUtil.sql_inj(null == orderPage.getCUST_NAME()?"":orderPage.getCUST_NAME());
		boolean g = StringFilterUtil.sql_inj(null == orderPage.getMOBILE()?"":orderPage.getMOBILE());
		if (a||b||c||d||e||f||g){
			printHttpServletResponse(GsonUtil.toJson(order),response);
		}
		if (null!=model.getCid()){
			String s=StringFilterUtil.StringFilter(model.getCid());
			model.setCid(null==s?"":s);
		}
		if (null!=model.getCustName()){
			String s=StringFilterUtil.StringFilter(model.getCustName());
			model.setCustName(null==s?"":s);
		}
		if (null!=model.getMobile()){
			String s=StringFilterUtil.StringFilter(model.getMobile());
			model.setMobile(null==s?"":s);
		}
		if (null!=model.getIdNo()){
			String s=StringFilterUtil.StringFilter(model.getIdNo());
			model.setIdNo(null==s?"":s);
		}

你可能感兴趣的:(Java)