java防止SQL注入

前言

这里常用的方法就不说了，#{}预编译不说，但是如果我们不得不用${}来传递参数，那就有点麻烦了，另外，一般我们会用到druid自带的sql注入过滤：

但是经过测试发现，这个方法并不能完全屏宾sql注入，比如：

select * from user where state=${state}
state传递 1 or state=2 这样就能跳过druid的检查

所以，还是需要我们自己自定义过滤拦截。

自定义拦截器

/**
 * 防止SQL注入的拦截器
 *
 * @author scott
 * @time 2018-05-21
 */
@Slf4j
public class SqlInjectInterceptor implements HandlerInterceptor {

	@Override  
    public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object arg2, Exception arg3)  
            throws Exception {  
        // TODO Auto-generated method stub  

    }  

    @Override  
    public void postHandle(HttpServletRequest request, HttpServletResponse response, Object arg2, ModelAndView arg3)  
            throws Exception {  
        // TODO Auto-generated method stub  

    }  

    @Override  
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object arg2) throws Exception {
    	//常规业务操作（无SQL值情况）， 针对数据库SQL操作，进行开发者权限控制，防止SQL注入
        Enumeration<String> names = request.getParameterNames();  
        while(names.hasMoreElements()){  
            String name = names.nextElement();  
            String[] values = request.getParameterValues(name);  
            for(String value: values){
                //sql注入直接拦截
                if(judgeSQLInject(value.toLowerCase())){
                	log.info("-----------Sql注入拦截-----------name: "+name+" -------------value:"+ value);
                    response.setContentType("text/html;charset=UTF-8");  
                    response.getWriter().print("参数含有非法攻击字符,已禁止继续访问！");  
                    return false;  
                }
                //跨站xss清理
                clearXss(value);
            }  
        }  
        return true;  
    }  

    /** 
     * 判断参数是否含有攻击串 
     * @param value 
     * @return 
     */  
    public boolean judgeSQLInject(String value){
        if(value == null || "".equals(value)){  
            return false;  
        }  
        String xssStr = "and |or |select |update |delete |drop |truncate |%20|=|--|!=";  
        String[] xssArr = xssStr.split("\\|");  
        for(int i=0;i<xssArr.length;i++){  
            if(value.indexOf(xssArr[i])>-1){  
                return true;  
            }  
        }  
        return false;  
    }

    /**
     * 处理跨站xss字符转义
     *
     * @param value
     * @return
     */
    private String clearXss(String value) {
    	log.debug("----before--------处理跨站xss字符转义----------"+ value);
        if (value == null || "".equals(value)) {
            return value;
        }
        value = value.replaceAll("<", "<").replaceAll(">", ">");
        value = value.replaceAll("\\(", "(").replace("\\)", ")");
        value = value.replaceAll("'", "'");
        value = value.replaceAll("eval\\((.*)\\)", "");
        value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']",
                "\"\"");
        value = value.replace("script", "");
        
        //为了用户密码安全，禁止列表查询展示用户密码----------
        value = value.replace(",password","").replace("password","");
        log.debug("----end--------处理跨站xss字符转义----------"+ value);
        return value;
    }
}

@Configuration
public class WebMvcConfiguration implements WebMvcConfigurer 

	@Bean
	public SqlInjectInterceptor sqlInjectInterceptor(){
		return new SqlInjectInterceptor();
	}

	@Override
	public void addInterceptors(InterceptorRegistry registry) {
		registry.addInterceptor(sqlInjectInterceptor()).addPathPatterns("/**");
	}
}

ok，这样就差不多了，欢迎指正