1.工具類
public class StringFilterUtil {
// 過濾特殊字元
public static String StringFilter(String str){
String regEx="[`~!@#$%^&*()+=|{}':;',\\[\\].<>/?~!@#¥%……&*()——+|{}【】‘;:”“’。,、?]";
Pattern p = Pattern.compile(regEx);
Matcher m = p.matcher(str);
return m.replaceAll("").trim();
}
// 過濾特殊字元 防止sql注入
public static boolean sql_inj(String str){
boolean flage = false;
String inj_str = "union!#!'!and!exec!insert!select!delete!update!count!%!chr!mid!master!truncate!char!declare!;!or!-!+";
String inj_stra[] = inj_str.split("!");
for (int i=0 ; i < inj_stra.length ; i++ ){
if (str.indexOf(inj_stra[i])>=0){
flage = true;
break;
}
}
return flage;
}
}
2.後端對使用者輸入的參數進行過濾
Grid<CustomerOrderModel> order=new Grid<CustomerOrderModel>();
boolean a = StringFilterUtil.sql_inj(null == orderPage.getCUST_NO()?"":orderPage.getCUST_NO());
boolean b = StringFilterUtil.sql_inj(null == orderPage.getORDER_NO()?"":orderPage.getORDER_NO());
boolean c = StringFilterUtil.sql_inj(null == orderPage.getREVERSE_ORDER_NO()?"":orderPage.getREVERSE_ORDER_NO());
boolean d = StringFilterUtil.sql_inj(null == orderPage.getTRANS_NO()?"":orderPage.getTRANS_NO());
boolean e = StringFilterUtil.sql_inj(null == orderPage.getSELLER_NO()?"":orderPage.getSELLER_NO());
boolean f = StringFilterUtil.sql_inj(null == orderPage.getCUST_NAME()?"":orderPage.getCUST_NAME());
boolean g = StringFilterUtil.sql_inj(null == orderPage.getMOBILE()?"":orderPage.getMOBILE());
if (a||b||c||d||e||f||g){
printHttpServletResponse(GsonUtil.toJson(order),response);
}
if (null!=model.getCid()){
String s=StringFilterUtil.StringFilter(model.getCid());
model.setCid(null==s?"":s);
}
if (null!=model.getCustName()){
String s=StringFilterUtil.StringFilter(model.getCustName());
model.setCustName(null==s?"":s);
}
if (null!=model.getMobile()){
String s=StringFilterUtil.StringFilter(model.getMobile());
model.setMobile(null==s?"":s);
}
if (null!=model.getIdNo()){
String s=StringFilterUtil.StringFilter(model.getIdNo());
model.setIdNo(null==s?"":s);
}