問題背景:
生産有個老項目使用的是jsp+servlet寫的,對安全方面幾乎沒有,對執行的sql使用的是
Statement.executeUpdate(sql),沒有使用PreparedStatement.executeUpdate(sql)
容易造成惡意攻擊
解決思想:
1)配置全局過濾器,通過關鍵字比對來攔截惡意請求
2)寫sql的時候用PreparedStatement
本次使用的是配置全局過濾器
1.在web.xml中加入以下配置
<!-- 防止SQL注入的過濾器 -->
<filter>
<filter-name>SqlInjectionFilter</filter-name>
<filter-class>org.oct.attachment.secure.SqlInjectFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>SqlInjectionFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
2.建立全局過濾器
package org.oct.attachment.secure;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;
import java.io.IOException;
import java.util.Enumeration;
/**
* @author xiaoss
* @since 1.0, 2022年08月22日 12:06:13
*/
public class SqlInjectFilter implements Filter {
// Logger logger= LoggerFactory.getLogger(SqlInjectFilter.class);
private static final Logger logger = Logger.getLogger(SqlInjectFilter.class);
private static final String SQL_REGX = ".*(\\b(select|update|and|or|delete|insert|trancate|char|into|substr|ascii|declare|exec|count|master|drop|execute)\\b).*";
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
logger.error("進入全局過濾器==================================");
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse res = (HttpServletResponse) response;
//獲得所有請求參數名
Enumeration params = req.getParameterNames();
logger.error("url=================================="+req.getRequestURI()+ req.getQueryString());
String sql = "";
while (params.hasMoreElements()) {
//得到參數名
String name = params.nextElement().toString();
//得到參數對應值
String[] value = req.getParameterValues(name);
for (int i = 0; i < value.length; i++) {
sql = sql + value[i];
}
}
//有sql關鍵字,跳轉到error.html
if (sqlValidate(sql)) {
logger.error("您發送請求中的參數中含有非法字元"+sql);
//throw new IOException("您發送請求中的參數中含有非法字元");
} else {
logger.error("執行完全局過濾器"+sql);
chain.doFilter(req, res);
}
}
//效驗
protected static boolean sqlValidate(String str) {
str = str.toLowerCase();//統一轉為小寫
if(str.matches(SQL_REGX)){
return true;
}
return false;
}
public void init(FilterConfig filterConfig) throws ServletException {
}
public void destroy() {
}
}