Loading

JSP中过滤器的设置

JSP中过滤器的设置

package com.filter;

import java.io.IOException;
import java.net.URLDecoder;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.regex.Pattern;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class SQLFilter implements Filter{

    static String reg ="(?:')|(?:--)|(/\\*(?:.|[\\n\\r])*?\\*/)|\\b(select|update|and|or|delete|insert|trancate|char|into|substr|ascii|declare|exec|count|master|into|drop|execute|DBMS_XMLQUERY.GETXML|DBMS_XMLQUERY.NEWCONTEXT)\\b|"
            + "\\b(?:script|eval|vbscript|javascript|base)\\b|(?:[`]+)|(?:<script>)|(?:\\b(?:onload|onerror|onunload|onclick|ondblclick)\\b)";
    // ?: 只匹配,不缓存匹配到的内容;
    // /\\*相当于匹配/*
    // . 表示任意可显示字符
    // \\b()\\b 表示单独匹配单词
    // [\\n\\r] 表示只要符合其中的任意一个;[1-9]也可以是一个范围;

    static Pattern sqlPattern = Pattern.compile(reg, Pattern.CASE_INSENSITIVE);
    
    @Override
    public void destroy() {
        // TODO Auto-generated method stub
        
    }

    @Override
    public void init(FilterConfig arg0) throws ServletException {
        // TODO Auto-generated method stub
        
    }
    
    
    @Override
    public void doFilter(final ServletRequest req, final ServletResponse resp,
            final FilterChain chain) throws IOException, ServletException {
        
        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse)resp;
        
        String uri = request.getRequestURI();
        
        
        Set<String> passURIs = new HashSet<String>();
        passURIs.add("/dsp71025/kdxt/kysj/qlysscyj.jsp");
        passURIs.add("/dsp71025/kdxt/kysj/lkfsl.jsp");
        
        if(passURIs.contains(uri)){
            
        }else{
            Map<String,String[]> params =  request.getParameterMap();
            
            for(String pk : params.keySet()){
                String[] value = params.get(pk);
                if(!isValid(value)){
                    System.out.println("参数:"+pk+"的值:"+Arrays.toString(value)+"不合法!");
                    return ;
                }
            }
        }
        
        chain.doFilter(request, response);
        
    }

    private boolean isValid(String[] pValue){
        
        if(pValue != null && pValue.length > 0){
            
            for(int i=0;i<pValue.length;i++){
                String s = pValue[i];
                System.out.println("解码前的值: "+s);
                //"%"编码后为"%25"
                s = URLDecoder.decode(s.replaceAll("%", "%25"));
                System.out.println("解码后的值: "+s);
                if (sqlPattern.matcher(s).find()) {
                    return false;
                }
            }
             
        }
        return true;
        
    }
    

    
    
    
}

 

posted @ 2018-04-03 17:44  stono  阅读(268)  评论(0编辑  收藏  举报