ESAPI
是owasp提供的一套API级别的web应用解决方案。目的帮助开发者开发出更加安全的代码,并且它本身就很方便调用。
使用
maven 引入esapi和log4j jar包
引入配置文件:
ESAPI.properties
esapi-java-logging.properties
validation.properties
maven依赖
<dependency>
<groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
<version>2.2.3.1</version>
</dependency>
三个配置文件可以从github上获取
代码示例
public class TestMain {
public static void main(String[] args) {
String validatedUserId = "123456' or ''=''--";
String validatedStartDate = "2021-10-15 15:32:00";
final Codec ORACLE_CODEC = new OracleCodec();
String originStr = "select * from test where id='" + validatedUserId + "' and date_created = '" + validatedStartDate + "'";
String sqlStr = "select * from test where id='" +
ESAPI.encoder().encodeForSQL(ORACLE_CODEC, validatedUserId)
+ "' and date_created = '"
+ ESAPI.encoder().encodeForSQL(ORACLE_CODEC, validatedStartDate) + "'";
System.out.println("------------------------------------------------------");
System.out.println(originStr);
System.out.println(sqlStr);
}
}
执行结果
select * from test where id='123456' or ''=''--' and date_created = '2021-10-15 15:32:00'
select * from test where id='123456'' or ''''=''''--' and date_created = '2021-10-15 15:32:00'
