• 最近热搜工具:

    当前位置:首页 > 网络知识

    ADADADADAD

    ssh如何防止sql注入[ 网络知识 ]

    网络知识 时间:2024-12-03 10:20:14

    作者:文/会员上传

    php怎么实现https请求

    简介:

    ssh防止sql注入的方法:1.在对应的web文件中添加以下代码:<filter><filter-name>httpHeaderSecurity</filter-name><!--filter2<filter-class>com.wisdombud.cqupt.edu.web.fil

    以下为本文的正文内容,内容仅供参考!本站为公益性网站,复制本文以及下载DOC文档全部免费。

    ssh防止sql注入的方法:

    1.在对应的web文件中添加以下代码:

    <filter>
    <filter-name>httpHeaderSecurity</filter-name>
    <!--filter2<filter-class>com.wisdombud.cqupt.edu.web.filter.HttpHeaderSecurityFilter</filter-class>-->
    <filter-class>com.wisdombud.cqupt.edu.web.vpn.filter.HttpHeaderSecurityFilter</filter-class>
    <async-supported>true</async-supported>
    </filter>
    <filter-mapping>
    <filter-name>httpHeaderSecurity</filter-name>
    <url-pattern>*</url-pattern>
    </filter-mapping>

    2.过滤类,代码:

    /*
    *LicensedtotheApacheSoftwareFoundation(ASF)underoneormore
    *contributorlicenseagreements.SeetheNOTICEfiledistributedwith
    *thisworkforadditionalinformationregardingcopyrightownership.
    *TheASFlicensesthisfiletoYouundertheApacheLicense,Version2.0
    *(the"License");youmaynotusethisfileexceptincompliancewith
    *theLicense.YoumayobtainacopyoftheLicenseat
    *
    *http://www.apache.org/licenses/LICENSE-2.0
    *
    *Unlessrequiredbyapplicablelaworagreedtoinwriting,software
    *distributedundertheLicenseisdistributedonan"ASIS"BASIS,
    *WITHOUTWARRANTIESORCONDITIONSOFANYKIND,eitherexpressorimplied.
    *SeetheLicenseforthespecificlanguagegoverningpermissionsand
    *limitationsundertheLicense.
    */
    packagecom.wisdombud.cqupt.edu.web.vpn.filter;
    importjava.io.IOException;
    importjava.util.Iterator;
    importjava.util.Map;
    importjava.util.Map.Entry;
    importjava.util.regex.Matcher;
    importjava.util.regex.Pattern;
    importjavax.servlet.FilterChain;
    importjavax.servlet.RequestDispatcher;
    importjavax.servlet.ServletException;
    importjavax.servlet.ServletRequest;
    importjavax.servlet.ServletResponse;
    importjavax.servlet.http.HttpServletRequest;
    importjavax.servlet.http.HttpServletResponse;
    importorg.apache.commons.lang3.StringUtils;
    importorg.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter;
    importorg.slf4j.LoggerFactory;
    importcom.wisdombud.cqupt.edu.web.filter.MutableHttpServletRequest;
    importcom.wisdombud.cqupt.edu.web.filter.XssHttpServletRequestWrapperNew;
    /**
    *Providesasingleconfigurationpointforsecuritymeasuresthatrequiredthe
    *additionofoneormoreHTTPheaderstotheresponse.
    */
    publicclassHttpHeaderSecurityFilterextendsStrutsPrepareAndExecuteFilter{
    privatestaticfinalorg.slf4j.LoggerLOGGER=LoggerFactory.getLogger(HttpHeaderSecurityFilter.class);
    @Override
    publicvoiddoFilter(finalServletRequestreq,finalServletResponseres,finalFilterChainchain)
    throwsIOException,ServletException{
    finalHttpServletRequestrequest=(HttpServletRequest)req;
    finalHttpServletResponseresponse=(HttpServletResponse)res;
    finalMutableHttpServletRequestmutableHttpServletRequest=newMutableHttpServletRequest(request);
    mutableHttpServletRequest.putHeader("X-Frame-Options","SAMEORIGIN");
    response.setHeader("X-Frame-Options","SAMEORIGIN");
    response.setHeader("X-Content-Type-Options","nosniff");
    finalbooleanisTrue=sqlInjection(request);
    if(isTrue){
    finalRequestDispatcherdispatcher=request.getRequestDispatcher("/400.jsp");
    dispatcher.forward(request,response);
    return;
    }
    super.doFilter(newXssHttpServletRequestWrapperNew(request),response,chain);
    }
    privateBooleansqlInjection(finalHttpServletRequesthttpRequest){
    booleanisIngect=false;
    //获取上下文的请求参数
    finalMapvalueTreeMap=httpRequest.getParameterMap();
    //获得请求参数集合的迭代器
    finalIteratoriterator=valueTreeMap.entrySet().iterator();
    //遍历组装请求参数
    while(iterator.hasNext()){
    //获得迭代的键值对
    finalEntryentry=(Entry)iterator.next();
    //获得键值对中的键值
    finalStringkey=(String)entry.getKey();
    if("title".equals(key)){
    System.err.println(key);
    }
    //原请求参数,因为有可能一键对多值所以这里用的String[]
    String[]oldValues=null;
    //对参数值转换成String类型的
    if(entry.getValue()instanceofString){
    oldValues=newString[]{entry.getValue().toString()};
    }else{
    oldValues=(String[])entry.getValue();
    }
    for(inti=0;i<oldValues.length;i++){
    if(StringUtils.isNotBlank(oldValues[i])){
    if(HasInjectionData(oldValues[i])){
    isIngect=true;
    break;
    }
    }
    }
    if(isIngect){
    returnisIngect;
    }
    }
    returnisIngect;
    }
    ///<summary>
    ///验证是否存在注入代码(条件语句)
    ///</summary>
    ///<paramname="inputData"></param>
    publicbooleanHasInjectionData(finalStringinputData){
    //里面定义恶意字符集合
    //验证inputData是否包含恶意集合
    if(StringUtils.isBlank(inputData)){
    returnfalse;
    }
    finalPatternpattern=Pattern.compile(GetRegexString());
    finalMatchermatcher=pattern.matcher(inputData.trim().toLowerCase());
    finalbooleanb=matcher.matches();
    if(b){
    LOGGER.info(String.format("检测出SQL注入的恶意数据,{0}",inputData));
    returntrue;
    }else{
    returnfalse;
    }
    }
    ///<summary>
    ///获取正则表达式
    ///</summary>
    ///<returns></returns>
    privateStringGetRegexString(){
    //构造SQL的注入关键字符
    finalString[]strBadChar=
    {"select\\s","from\\s","or\\s","insert\\s","delete\\s","update\\s","drop\\s","truncate\\s",
    "exec\\s","count\\(","declare\\s","asc\\(","mid\\(","char\\(","netuser","xp_cmdshell","/add\\s",
    "execmaster.dbo.xp_cmdshell","netlocalgroupadministrators","and\\s","=\\s","where\\s","<",">"};
    //构造正则表达式
    Stringstr_Regex=".*(";
    for(inti=0;i<strBadChar.length-1;i++){
    str_Regex+=strBadChar[i]+"|";
    }
    str_Regex+=strBadChar[strBadChar.length-1]+").*";
    returnstr_Regex;
    }
    }

    3.调用类,代码:

    packagecom.wisdombud.cqupt.edu.web.filter;
    importjavax.servlet.http.HttpServletRequest;
    importjavax.servlet.http.HttpServletRequestWrapper;
    importjava.util.Collections;
    importjava.util.Enumeration;
    importjava.util.HashMap;
    importjava.util.HashSet;
    importjava.util.Map;
    importjava.util.Set;
    publicfinalclassMutableHttpServletRequestextendsHttpServletRequestWrapper{
    //holdscustomheaderandvaluemapping
    privatefinalMap<String,String>customHeaders;
    publicMutableHttpServletRequest(HttpServletRequestrequest){
    super(request);
    this.customHeaders=newHashMap<String,String>();
    }
    publicvoidputHeader(Stringname,Stringvalue){
    this.customHeaders.put(name,value);
    }
    publicStringgetHeader(Stringname){
    //checkthecustomheadersfirst
    StringheaderValue=customHeaders.get(name);
    if(headerValue!=null){
    returnheaderValue;
    }
    //elsereturnfromintotheoriginalwrappedobject
    return((HttpServletRequest)getRequest()).getHeader(name);
    }
    publicEnumeration<String>getHeaderNames(){
    //createasetofthecustomheadernames
    Set<String>set=newHashSet<String>(customHeaders.keySet());
    //nowaddtheheadersfromthewrappedrequestobject
    @SuppressWarnings("unchecked")
    Enumeration<String>e=((HttpServletRequest)getRequest()).getHeaderNames();
    while(e.hasMoreElements()){
    //addthenamesoftherequestheadersintothelist
    Stringn=e.nextElement();
    set.add(n);
    }
    //createanenumerationfromthesetandreturn
    returnCollections.enumeration(set);
    }
    }

    ssh如何防止sql注入.docx

    将本文的Word文档下载到电脑

    推荐度:

    下载
    热门标签: sql注入ssh

    精品

    申请https需要什么条件

    热门推荐

    hadoop分布式数据库怎样管理

    2024-12-03

    ajax和数据库交互的方法是什么

    2024-12-03

    hadoop archive适合哪些应用场景

    2024-12-06

    hbase metadata能否备份恢复

    2024-12-25

    如何使用Kafka构建可扩展的日志收集系统

    2024-12-03

    大家都在看

    测速网 inhv.cn 皖ICP备2023010105号 E-mail:251442993@qq.com 网速测试 网速测试 五险一金计算器 大小写转换 房贷计算器 个税计算器 网站建设

    本站内容来源于网友提交及搜索引擎,如果我们的某些资料侵犯了您的合法权益或对您造成了任何程度的伤害,请及时联系我们,我们将在收到通知后第一时间处理该内容。