java防SQL引入,最朴素的设备是避免SQL拼凑,SQL引入进攻能反咬一口是因为在原来SQL句子中添加了新的逻辑性，若是应用PreparedStatement来替代Statement来实行SQL句子，厥后仅仅键入主要参数，SQL引入进攻方式将失效，它是因为PreparedStatement不允许在区别的 *** 時间更改查看的逻辑结构 ,绝大多数的SQL引入早已遮挡了, 在WEB层我们可以过虑客户的键入来避免 SQL引入例如用Filter来过虑全局性的表格主要参数
01 import java.io.IOException;
02 import java.util.Iterator;
03 import javax.servlet.Filter;
04 import javax.servlet.FilterChain;
05 import javax.servlet.FilterConfig;
06 import javax.servlet.ServletException;
07 import javax.servlet.ServletRequest;
08 import javax.servlet.ServletResponse;
09 import javax.servlet.http.HttpServletRequest;
10 import javax.servlet.http.HttpServletResponse;
11 /**
12 * 根据Filter过滤装置来防SQL引入进攻
13 *

14 */
15 public class SQLFilter implements Filter {
16 private String inj_str = "'|and|exec|insert|select|delete|update|count|*||chr|mid|master|truncate|char|declare|; |or|-| |,";
17 protected FilterConfig filterConfig = null;
18 /**
19 * Should a character encoding specified by the client be ignored?
20 */
21 protected boolean ignore = true;
22 public void init(FilterConfig config) throws ServletException {
23 this.filterConfig = config;
24 this.inj_str = filterConfig.getInitParameter("keywords");
25 }
26 public void doFilter(ServletRequest request, ServletResponse response,
27 FilterChain chain) throws IOException, ServletException {
28 HttpServletRequest req = (HttpServletRequest)request;
29 HttpServletResponse res = (HttpServletResponse)response;
30 Iterator values = req.getParameterMap().values().iterator();//获得全部的表格主要参数
31 while(values.hasNext()){
32 String[] value = (String[])values.next();
33 for(int i = 0;i lt; value.length;i ){
34 if(sql_inj(value[i])){
35 //TODO这儿发觉sql注入编码的运营逻辑性编码
36 return;
37 }
38 }
39 }
40 chain.doFilter(request, response);
41 }
42 public boolean sql_inj(String str)
43 {
44 String[] inj_stra=inj_str.split("\\|");
45 for (int i=0 ; i lt; inj_stra.length ; i )
46 {
47 if (str.indexOf(" " inj_stra[i] " ")gt;=0)