java 过滤敏感词和特殊字符 防止sql注入
前一段时间,被告知公司主页有可靠可以sql注入,网上搜索一遍,查询有没有之类的东东
开始想一起过滤敏感词语和特殊字符,感觉没有什么好的方法,
所以借鉴了网上部分思路,所以就写了过滤的方法,总体分2步走,
一是过滤敏感词语,我目前能想到的就这么多,可以自己加
二是过滤特殊字符
代码如下:
String sqlValidate(String str) { String str2 = str.toLowerCase();//统一转为小写 String[] SqlStr1 = {"and","exec","execute","insert","select","delete","update","count","drop","chr","mid","master","truncate","char","declare","sitename","net user","xp_cmdshell","like","and","exec","execute","insert","create","drop","table","from","grant","use","group_concat","column_name","information_schema.columns","table_schema","union","where","select","delete","update","order","by","count","chr","mid","master","truncate","char","declare","or"};//词语 String[] SqlStr2 = {"*",""",";","or","-","--","+","//","/","%","#"};//特殊字符 for (int i = 0; i < SqlStr1.length; i++) { if (str2.indexOf(SqlStr1[i])>=0) { str = str.replaceAll("(?i)"+SqlStr1[i],"");//正则替换词语,无视大小写 } } for (int i = 0; i < SqlStr2.length; i++) { if (str2.indexOf(SqlStr2[i]) >= 0) { str = str.replaceAll(SqlStr2[i],""); } } return str; }
String sqlValidate(String str) { String str2 = str.toLowerCase();//统一转为小写 String[] SqlStr1 = {"and","exec","execute","insert","select","delete","update","count","drop","chr","mid","master","truncate","char","declare","sitename","net user","xp_cmdshell","like","and","exec","execute","insert","create","drop","table","from","grant","use","group_concat","column_name","information_schema.columns","table_schema","union","where","select","delete","update","order","by","count","chr","mid","master","truncate","char","declare","or"};//词语 String[] SqlStr2 = {"*",""",";","or","-","--","+","//","/","%","#"};//特殊字符 for (int i = 0; i < SqlStr1.length; i++) { if (str2.indexOf(SqlStr1[i])>=0) { str = str.replaceAll("(?i)"+SqlStr1[i],"");//正则替换词语,无视大小写 } } for (int i = 0; i < SqlStr2.length; i++) { if (str2.indexOf(SqlStr2[i]) >= 0) { str = str.replaceAll(SqlStr2[i],""); } } return str; }
声明:该文观点仅代表作者本人,牛骨文系教育信息发布平台,牛骨文仅提供信息存储空间服务。
- 上一篇: ArrayList底层原理以及使用技巧
- 下一篇: C---int和指针转换注意事项
