攔截器的配置,導致只能返回boolean類型的數據,那么要讓前端知道在哪里被攔截了,攔截了什么,這就要用到json數據,返回相應的數據,
package com.sysh.web.interceptor;
/**
* Created by sjy Cotter on 2018/7/24.
*/
import net.sf.json.JSONObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.ModelAndView;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.PrintWriter;
import java.util.Arrays;
import java.util.Enumeration;
public class SqlInjectInterceptor implements HandlerInterceptor{
private final static Logger log = LoggerFactory.getLogger(SqlInjectInterceptor.class);
@Override
public void afterCompletion(HttpServletRequest arg0, HttpServletResponse arg1, Object arg2, Exception arg3)
throws Exception {
// TODO Auto-generated method stub
}
@Override
public void postHandle(HttpServletRequest arg0, HttpServletResponse arg1, Object arg2, ModelAndView arg3)
throws Exception {
// TODO Auto-generated method stub
}
@Override
public boolean preHandle(HttpServletRequest arg0, HttpServletResponse arg1, Object arg2) throws Exception {
Enumeration<String> names = arg0.getParameterNames();
while(names.hasMoreElements()){
String name = names.nextElement();
String[] values = arg0.getParameterValues(name);
for(String value: values){
//sql注入直接攔截
if(judgeSQLInject(value.toLowerCase())){
/*arg1.setContentType("text/html;charset=UTF-8");
arg1.getWriter().print("參數含有非法攻擊字符,已禁止繼續訪問!");
//return false;
return super.preHandle(arg0, arg1, arg2);*/
arg1.setCharacterEncoding("UTF-8");
arg1.setContentType("application/json; charset=utf-8");
PrintWriter out = null ;
try{
JSONObject res = new JSONObject();
res.put("code",1004);
res.put("message","false");
res.put("data","參數含有非法字符,請注意是否含有(空格,/,#)等特殊字符");
out = arg1.getWriter();
out.append(res.toString());
return false;
}
catch (Exception e){
e.printStackTrace();
arg1.sendError(500);
return false;
}
}
//跨站xss清理
clearXss(value);
}
}
return true;
}
/**
* 判斷參數是否含有攻擊串
* @param value
* @return
*/
public boolean judgeSQLInject(String value){
if(value == null || "".equals(value)){
return false;
}
String xssStr = "select|update|delete|truncate|%20|--|#|\\|!=|";
String[] xssArr = xssStr.split("\\|");
for(int i=0;i<xssArr.length;i++){
if(value.indexOf(xssArr[i])>-1){
return true;
}
}
return false;
}
/**
* 處理跨站xss字符轉義
*
* @param value
* @return
*/
private String clearXss(String value) {
if (value == null || "".equals(value)) {
return value;
}
value = value.replaceAll("<", "<").replaceAll(">", ">");
value = value.replaceAll("\\(", "(").replace("\\)", ")");
value = value.replaceAll("'", "'");
value = value.replaceAll("eval\\((.*)\\)", "");
value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']",
"\"\"");
value = value.replace("script", "");
return value;
}
}
這是一種直接返回類似於正常訪問返回的數據格式,這樣就能使前端試別出來,進而進行展示