ESAPI
是owasp提供的一套API級別的web應用解決方案。目的幫助開發者開發出更加安全的代碼,並且它本身就很方便調用。
使用
maven 引入esapi和log4j jar包
引入配置文件:
ESAPI.properties
esapi-java-logging.properties
validation.properties
maven依賴
<dependency>
<groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
<version>2.2.3.1</version>
</dependency>
三個配置文件可以從github上獲取
代碼示例
public class TestMain {
public static void main(String[] args) {
String validatedUserId = "123456' or ''=''--";
String validatedStartDate = "2021-10-15 15:32:00";
final Codec ORACLE_CODEC = new OracleCodec();
String originStr = "select * from test where id='" + validatedUserId + "' and date_created = '" + validatedStartDate + "'";
String sqlStr = "select * from test where id='" +
ESAPI.encoder().encodeForSQL(ORACLE_CODEC, validatedUserId)
+ "' and date_created = '"
+ ESAPI.encoder().encodeForSQL(ORACLE_CODEC, validatedStartDate) + "'";
System.out.println("------------------------------------------------------");
System.out.println(originStr);
System.out.println(sqlStr);
}
}
執行結果
select * from test where id='123456' or ''=''--' and date_created = '2021-10-15 15:32:00'
select * from test where id='123456'' or ''''=''''--' and date_created = '2021-10-15 15:32:00'
