原文地址:https://blog.csdn.net/weixin_39728880/article/details/101029681
在項目中我們經常會遇到這些sql注入的問題,這邊我介紹的是通過filter攔截的方式進行過濾一些sql腳本的注入,在平時編程的時候我們也要注意,在程序中編寫sql腳本(mapper.xml) 文件的時候能用#盡量用#,避免一個惡意攻擊網站的人。
首先介紹一下#和$的區別:
- #{}:占位符號,好處防止sql注入,自帶單引號變量
- ${}:sql拼接符號,原生變量
接下來介紹寫在java項目中(springboot)如何通過webFilter防止sql注入:
private String regx;
public void init(FilterConfig filterConfig) throws ServletException {
this.regx = filterConfig.getInitParameter("regx");
}
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) servletRequest;
Map parametersMap = servletRequest.getParameterMap();
Iterator it = parametersMap.entrySet().iterator();
while (it.hasNext()) {
Map.Entry entry = (Map.Entry) it.next();
String[] value = (String[]) entry.getValue();
for (int i = 0; i < value.length; i++) {
if (null != value[i] && value[i].matches(this.regx)) {
log.error("您輸入的參數有非法字符,請輸入正確的參數!");
servletRequest.setAttribute("err", "您輸入的參數有非法字符,請輸入正確的參數!");
servletRequest.setAttribute("pageUrl",req.getRequestURI());
servletRequest.getRequestDispatcher(servletRequest.getServletContext().getContextPath() + "/error").forward(servletRequest, servletResponse);
return;
}
}
}
}
}
public void destroy() {
}
}
啟動類上記得加注解:
@ServletComponentScan(basePackages ="xxxx.xxx.xxx.filter") //filter所在的包,掃描