java防SQL注入,最簡單的辦法是杜絕SQL拼接,SQL注入攻擊能得逞是因爲在原有SQL語句中加入了新的邏輯,如果使用PreparedStatement來代替Statement來執行SQL語句,其後只是輸入參數,SQL注入攻擊手段將無效,這是因爲PreparedStatement不允許在不同的插入時間改變查詢的邏輯結構 ,大部分的SQL注入已經擋住了, 在WEB層我們可以過濾用戶的輸入來防止SQL注入比如用Filter來過濾全局的表單參數
01 import ception
02 import ator
03 import er
04 import erChain
05 import erConfig
06 import letException
07 import letRequest
08 import letResponse
09 import ServletRequest
10 import ServletResponse
11 /**
12 * 透過Filter過濾器來防SQL注入攻擊
13 *
14 */
15 public class SQLFilter implements Filter {
16 private String inj_str = "|and|exec|insert|select|delete|update|count|*|%
|chr|mid|master|truncate|char|declare||or|-|+|,"
17 protected FilterConfig filterConfig = null
18 /**
19 * Should a character encoding specified by the client be ignored?
20 */
21 protected boolean ignore = true
22 public void init(FilterConfig config) throws ServletException {
23 erConfig = config
24 _str = nitParameter("keywords")
25 }
26 public void doFilter(ServletRequest request, ServletResponse response,
27 FilterChain chain) throws IOException, ServletException {
28 HttpServletRequest req = (HttpServletRequest)request
29 HttpServletResponse res = (HttpServletResponse)response
30 Iterator values = arameterMap()es()ator()//獲取所有的表單參數
31 while(ext()){
32 String[] value = (String[])()
33 for(int i = 0i < thi++){
34 if(sql_inj(value[i])){
35 //TODO這裏發現sql注入代碼的業務邏輯代碼
36 return
37 }
38 }
39 }
40 lter(request, response)
41 }
42 public boolean sql_inj(String str)
43 {
44 String[] inj_stra=inj_t("|")
45 for (int i=0 i < inj_th i++ )
46 {
47 if (xOf(" "+inj_stra[i]+" ")>=0)
48 {
學習資源