Java Web 一些特殊字符的过滤(appscan检查的安全问题)

适用于出现以下问题:

1、SQL盲注

2、存储的跨站点脚本编制 或 跨站点脚本编制


import java.io.IOException;
import java.util.Enumeration;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class AntiSqlInjectionfilter implements Filter {  
	  
    public void destroy() {  
        // TODO Auto-generated method stub  
    }  
      
    public void init(FilterConfig arg0) throws ServletException {  
        // TODO Auto-generated method stub  
    }  
      
    public void doFilter(ServletRequest args0, ServletResponse args1,  
            FilterChain chain) throws IOException, ServletException {  
        HttpServletRequest req=(HttpServletRequest)args0;  
        HttpServletResponse res=(HttpServletResponse)args1;  
         //获得所有请求参数名  
        Enumeration params = req.getParameterNames();  
        String sql = "";  
        while (params.hasMoreElements()) {  
            //得到参数名  
            String name = params.nextElement().toString();  
            //System.out.println("name===========================" + name + "--");  
            //得到参数对应值  
            String[] value = req.getParameterValues(name);  
            for (int i = 0; i < value.length; i++) {  
                sql = sql + value[i];  
            }  
        }  
        //System.out.println("============================SQL"+sql);  
        //有sql关键字,跳转到error.html  
        if (sqlValidate(sql)) {
            throw new IOException("您发送请求中的参数中含有非法字符:"+sql);  
            //String ip = req.getRemoteAddr();  
        } else {  
            chain.doFilter(args0,args1);  
        }  
    }  
      
    //效验  
    protected static boolean sqlValidate(String str) {  
        str = str.toLowerCase();//统一转为小写  
        String badStr = "'|select|update|and|or|delete|insert|truncate|char|into"
        		+ "|substr|declare|exec|master|drop|execute|"
        		+ "union|;|--|+|,|like|//|/|%|#|*|$|@|\"|http|cr|lf|<|>|(|)";//过滤掉的sql关键字,可以手动添加  
        String[] badStrs = badStr.split("\\|");  
        for (int i = 0; i < badStrs.length; i++) {  
            if (str.indexOf(badStrs[i]) >= 0) {  
                return true;  
            }  
        }  
        return false;  
    }  
}


你可能感兴趣的:(JAVA)