diff --git a/src/main/java/com/baiyee/adcallback/api/filter/SqlFilter.java b/src/main/java/com/baiyee/adcallback/api/filter/SqlFilter.java new file mode 100644 index 0000000..0252712 --- /dev/null +++ b/src/main/java/com/baiyee/adcallback/api/filter/SqlFilter.java @@ -0,0 +1,59 @@ +package com.baiyee.adcallback.api.filter; + +import org.springframework.context.annotation.Configuration; +import javax.servlet.*; +import javax.servlet.annotation.WebFilter; +import java.io.IOException; +import java.util.Enumeration; + + +@WebFilter(urlPatterns = "/*",filterName = "sqlFilter") +@Configuration +public class SqlFilter implements Filter{ + @Override + public void init(FilterConfig filterConfig) throws ServletException {} + + /** + * @description sql注入过滤 + */ + @Override + public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { + // 获得所有请求参数名 + Enumeration names = servletRequest.getParameterNames(); + String sql = ""; + while (names.hasMoreElements()){ + // 得到参数名 + String name = names.nextElement().toString(); + // 得到参数对应值 + String[] values = servletRequest.getParameterValues(name); + for (int i = 0; i < values.length; i++) { + sql += values[i]; + } + } + if (sqlValidate(sql)) { + //TODO 这里直接抛异常处理,前后端交互项目中,请把错误信息按前后端"数据返回的VO"对象进行封装 + throw new IOException("您发送请求中的参数中含有非法字符"); + } else { + filterChain.doFilter(servletRequest, servletResponse); + } + } + + /** + * @description 匹配效验 + */ + protected static boolean sqlValidate(String str){ + // 统一转为小写 + String s = str.toLowerCase(); + // 过滤掉的sql关键字,特殊字符前面需要加\\进行转义 + String badStr = + "select|update|and|or|delete|insert|truncate|char|into|substr|ascii|declare|exec|count|master|into|drop|execute|table|"+ + "char|declare|sitename|xp_cmdshell|like|from|grant|use|group_concat|column_name|" + + "information_schema.columns|table_schema|union|where|order|by|" + + "'\\*|\\;|\\-|\\--|\\+|\\,|\\//|\\/|\\%|\\#"; + //使用正则表达式进行匹配 + return s.matches(badStr); + } + + @Override + public void destroy() {} +}