其中URLDecoder.decode有个好处,就是防止%sql注入,当然对其他字符无效了,当在input输入用户名时候‘10001%’,经过后台先获取,并解码,会报错:
package test;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
public class Test1 {
public static void main(String[] arg0) {
String target = "1001%";
String charset = "UTF-8";
try {
/*
* System.out.println("---------URLDecoder处理前:--------" + target +
* "--->处理后===" + URLEncoder.encode(target, charset));
*/
System.out.println("---------URLDecoder处理前:--------" + target
+ "--->处理后===" + URLDecoder.decode(target, charset));
} catch (UnsupportedEncodingException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
}
报错如下:
Exception in thread "main" java.lang.IllegalArgumentException: URLDecoder: Incomplete trailing escape (%) pattern
at java.net.URLDecoder.decode(URLDecoder.java:187)
at test.Test1.main(Test1.java:17)
项目中用的是springMVC进行异常处理:
<bean id="exceptionResolver" class="com.ailk.base.exception.CustomSimpleMappingExceptionResolver">
<!-- 定义默认的异常处理页面,当该异常类型的注册时使用 -->
<property name="defaultErrorView" value="error/failure"></property>
<!-- 定义需要特殊处理的异常,用类名或完全路径名作为key,异常页名作为值 -->
<property name="exceptionMappings">
<props>
<prop key="com.ailk.base.exception.SystemException">/error/500</prop>
<prop key="com.ailk.base.exception.BusinessException">/error/error</prop>
<prop key="java.lang.exception">error/500</prop>
</props>
</property>
</bean>
package com.ailk.base.exception;
import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.handler.SimpleMappingExceptionResolver;
public class CustomSimpleMappingExceptionResolver extends
SimpleMappingExceptionResolver {
@Override
protected ModelAndView doResolveException(HttpServletRequest request,
HttpServletResponse response, Object handler, Exception ex) {
// Expose ModelAndView for chosen error view.
String viewName = determineViewName(ex, request);
if (viewName != null) {// JSP格式返回
System.out.println("------------------------------>>>1 " + (request.getHeader("accept").indexOf("application/json") > -1));
System.out.println("------------------------------>>>2 " + (request
.getHeader("X-Requested-With") != null && request
.getHeader("X-Requested-With").indexOf("XMLHttpRequest") > -1));
if (!(request.getHeader("accept").indexOf("application/json") > -1 || (request
.getHeader("X-Requested-With") != null && request
.getHeader("X-Requested-With").indexOf("XMLHttpRequest") > -1))) {
// 如果不是异步请求
// Apply HTTP status code for error views, if specified.
// Only apply it if we're processing a top-level request.
Integer statusCode = determineStatusCode(request, viewName);
if (statusCode != null) {
applyStatusCodeIfPossible(request, response, statusCode);
}
return getModelAndView(viewName, ex, request);
} else {// JSON格式返回
try {
System.out.println("------------------------------>>>enter into json " + ex.getMessage());
PrintWriter writer = response.getWriter();
System.out.println("------------------------------>>> " + ex.getMessage());
writer.write(ex.getMessage());
writer.flush();
} catch (IOException e) {
System.out.println("------------------------------>>> <<<--------------------------");
e.printStackTrace();
}
return null;
}
} else {
return null;
}
}
}
所以,有效的解决了sql注入。网上还有的方法更直接,就是过滤器过滤直接粘过来:
配置拦截器
<!‐‐ 拦截器配置‐‐>
<mvc:interceptors>
<!‐‐ SQL注入拦截‐‐>
<mvc:interceptor>
<mvc:mapping path="/**"/>
<bean class="com.data.job.util.interceptor.SqlInjectInterceptor"></bean>
</mvc:interceptor>
</mvc:interceptors>
/**
* 防止SQL注入的拦截器
*
* @author tyee.noprom@qq.com
* @time 2/13/16 8:22 PM.
*/
public class SqlInjectInterceptor implements HandlerInterceptor {
public boolean preHandle(HttpServletRequest request, HttpServletResponse response
Enumeration<String> names = request.getParameterNames();
while (names.hasMoreElements()) {
String name = names.nextElement();
String[] values = request.getParameterValues(name);
for (String value : values) {
value = clearXss(value);
}
}
/**
* 处理字符转义
*
* @param value
* @return
*/
private String clearXss(String value) {
if (value == null || "".equals(value)) {
return value;
}
value = value.replaceAll("<", "<").replaceAll(">", ">");
value = value.replaceAll("\\(", "(").replace("\\)", ")");
value = value.replaceAll("'", "'");
value = value.replaceAll("eval\\((.*)\\)", "");
value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']",
"\"\"");
value = value.replace("script", "");
return value;
}
黄金分割线
===================================================================================================================
自己项目的代码
@ResponseBody
@RequestMapping(value = "login.htm")
public Map<String, Object> login(HttpServletRequest request, HttpServletResponse response) {
boolean result = false;
IMap _staffMap = new IMap();
IMap params = new IMap(request);
IMap封装了HashMap,以下封装代码:
// 从页面获取数据
public IMap(HttpServletRequest request) {
this.request = request;
// 返回值Map
returnMap = new HashMap<String, Object>();
// 参数Map
//@SuppressWarnings("unchecked")
@SuppressWarnings("unchecked")
Map<String, String[]> properties = request.getParameterMap();
Set<Map.Entry<String, String[]>> entrySet = properties.entrySet();
for (Map.Entry<String, String[]> entry : entrySet) {
String key = (String) entry.getKey() == null ? null : convert2Decode((String) entry.getKey(), charset);
Object valueObj = entry.getValue();
String value = "";
if(null == valueObj){
value = "";
}else if(valueObj instanceof String[]){
String[] values = (String[])valueObj;
for(int i=0;i<values.length;i++){
value = values[i].trim();
if (request.getMethod().equalsIgnoreCase("get")) {
value = values == null ? null : convert2Character(value, charset);
}
value = values == null ? null : convert2Decode(value, charset) + ",";
}
value = value.substring(0, value.length()-1);
}else{
value = valueObj.toString();
}
returnMap.put(key, value);
}
}
private static String convert2Decode(String target, String charset){
try {
System.out.println("---------URLDecoder处理前:--------" + target +"--->处理后===" + URLDecoder.decode(target, charset));
return URLDecoder.decode(target, charset);
} catch (UnsupportedEncodingException e) {
return target;
}
}
public String convert2Character(String target, String charset) {
System.out.println("编码转换之前:" + target);
try {
return new String(target.trim().getBytes("ISO-8859-1"), charset);
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
return target;
}
}
