文章摘要:ssh如何防止sql注入 哪些方法可以防止sql注入
ssh防止sql注入的方法: 1.在对应的web文件中添加以下代码: <filter>   […]
ssh防止sql注入的方法:
1.在对应的web文件中添加以下代码:
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<!-- filter2 <filter-class>com.wisdombud.cqupt.edu.web.filter.HttpHeaderSecurityFilter</filter-class> -->
<filter-class>com.wisdombud.cqupt.edu.web.vpn.filter.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>*</url-pattern>
</filter-mapping>
2.过滤类,代码:
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.wisdombud.cqupt.edu.web.vpn.filter;
import java.io.IOException;
import java.util.Iterator;
import java.util.Map;
import java.util.Map.Entry;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.FilterChain;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter;
import org.slf4j.LoggerFactory;
import com.wisdombud.cqupt.edu.web.filter.MutableHttpServletRequest;
import com.wisdombud.cqupt.edu.web.filter.XssHttpServletRequestWrapperNew;
/**
* Provides a single configuration point for security measures that required the
* addition of one or more HTTP headers to the response.
*/
public class HttpHeaderSecurityFilter extends StrutsPrepareAndExecuteFilter {
private static final org.slf4j.Logger LOGGER = LoggerFactory.getLogger(HttpHeaderSecurityFilter.class);
@Override
public void doFilter(final ServletRequest req, final ServletResponse res, final FilterChain chain)
throws IOException, ServletException {
final HttpServletRequest request = (HttpServletRequest) req;
final HttpServletResponse response = (HttpServletResponse) res;
final MutableHttpServletRequest mutableHttpServletRequest = new MutableHttpServletRequest(request);
mutableHttpServletRequest.putHeader("X-Frame-Options", "SAMEORIGIN");
response.setHeader("X-Frame-Options", "SAMEORIGIN");
response.setHeader("X-Content-Type-Options", "nosniff");
final boolean isTrue = sqlInjection(request);
if (isTrue) {
final RequestDispatcher dispatcher = request.getRequestDispatcher("/400.jsp");
dispatcher.forward(request, response);
return;
}
super.doFilter(new XssHttpServletRequestWrapperNew(request), response, chain);
}
private Boolean sqlInjection(final HttpServletRequest httpRequest) {
boolean isIngect = false;
// 获取上下文的请求参数
final Map valueTreeMap = httpRequest.getParameterMap();
// 获得请求参数集合的迭代器
final Iterator iterator = valueTreeMap.entrySet().iterator();
// 遍历组装请求参数
while (iterator.hasNext()) {
// 获得迭代的键值对
final Entry entry = (Entry) iterator.next();
// 获得键值对中的键值
final String key = (String) entry.getKey();
if("title".equals(key)){
System.err.println(key);
}
// 原请求参数,因为有可能一键对多值所以这里用的String[]
String[] oldValues = null;
// 对参数值转换成String类型的
if (entry.getValue() instanceof String) {
oldValues = new String[] {entry.getValue().toString()};
} else {
oldValues = (String[]) entry.getValue();
}
for (int i = 0; i < oldValues.length; i++) {
if (StringUtils.isNotBlank(oldValues[i])) {
if (HasInjectionData(oldValues[i])) {
isIngect = true;
break;
}
}
}
if (isIngect) {
return isIngect;
}
}
return isIngect;
}
/// <summary>
/// 验证是否存在注入代码(条件语句)
/// </summary>
/// <param name="inputData"></param>
public boolean HasInjectionData(final String inputData) {
// 里面定义恶意字符集合
// 验证inputData是否包含恶意集合
if(StringUtils.isBlank(inputData)){
return false;
}
final Pattern pattern = Pattern.compile(GetRegexString());
final Matcher matcher = pattern.matcher(inputData.trim().toLowerCase());
final boolean b = matcher.matches();
if (b) {
LOGGER.info(String.format("检测出SQL注入的恶意数据, {0}", inputData));
return true;
} else {
return false;
}
}
/// <summary>
/// 获取正则表达式
/// </summary>
/// <returns></returns>
private String GetRegexString() {
// 构造SQL的注入关键字符
final String[] strBadChar =
{"select\s", "from\s", "or\s", "insert\s", "delete\s", "update\s", "drop\s", "truncate\s",
"exec\s", "count\(", "declare\s", "asc\(", "mid\(", "char\(", "net user", "xp_cmdshell", "/add\s",
"exec master.dbo.xp_cmdshell", "net localgroup administrators","and\s","=\s" ,"where\s","<",">"};
// 构造正则表达式
String str_Regex = ".*(";
for (int i = 0; i < strBadChar.length - 1; i++) {
str_Regex += strBadChar[i] + "|";
}
str_Regex += strBadChar[strBadChar.length - 1] + ").*";
return str_Regex;
}
}
3.调用类,代码:
package com.wisdombud.cqupt.edu.web.filter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
public final class MutableHttpServletRequest extends HttpServletRequestWrapper {
// holds custom header and value mapping
private final Map<String, String> customHeaders;
public MutableHttpServletRequest(HttpServletRequest request) {
super(request);
this.customHeaders = new HashMap<String, String>();
}
public void putHeader(String name, String value) {
this.customHeaders.put(name, value);
}
public String getHeader(String name) {
// check the custom headers first
String headerValue = customHeaders.get(name);
if (headerValue != null) {
return headerValue;
}
// else return from into the original wrapped object
return ((HttpServletRequest) getRequest()).getHeader(name);
}
public Enumeration<String> getHeaderNames() {
// create a set of the custom header names
Set<String> set = new HashSet<String>(customHeaders.keySet());
// now add the headers from the wrapped request object
@SuppressWarnings("unchecked")
Enumeration<String> e = ((HttpServletRequest) getRequest()).getHeaderNames();
while (e.hasMoreElements()) {
// add the names of the request headers into the list
String n = e.nextElement();
set.add(n);
}
// create an enumeration from the set and return
return Collections.enumeration(set);
}
}