• Home
• net.mingsoft
• ms-base
• 2.1.18.2
• source code
• SqlInjectionUtil.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

net.mingsoft.base.util.SqlInjectionUtil Maven / Gradle / Ivy

/**
 * Copyright (c) 2012-present 铭软科技(mingsoft.net)
 * 本软件及相关文档文件（以下简称“软件”）的版权归 铭软科技 所有
 * 遵循 铭软科技《服务协议》中的《保密条款》
 */













package net.mingsoft.base.util;

import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.jdbc.BadSqlGrammarException;

import java.sql.SQLException;
import java.util.Iterator;
import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

/**
 * SQL注入工具类
 *
 * @author Administrator
 * @version 创建日期：2021/4/7 8:43

 * 历史修订：

 */
public class SqlInjectionUtil {

    private static final Logger LOG = LoggerFactory.getLogger(SqlInjectionUtil.class);


    private static final String XSS_STR = "'|and |exec |insert |select |delete |update |drop |count |chr |mid |master |truncate |char |declare |;|or |+|,";

    private static final String REG = "(?:')|(?:--)|(/\\*(?:.|[\\n\\r])*?\\*/)| (\\b(select |update |and |or |delete |insert |trancate |char| into |substr |ascii |declare |exec |count |master|drop |execute )\\b)";


    /**
     * 表示忽略大小写
     */
    private static final Pattern sqlPattern = Pattern.compile(REG, Pattern.CASE_INSENSITIVE);

    /**
     * sql注入过滤处理，遇到注入关键字抛异常
     *
     * @param values
     * @return
     */
    public static void filterContent(String... values) {
        String[] xssArr = XSS_STR.split("\\|");
        for (String value : values) {
            if (value == null || "".equals(value)) {
                continue;
            }
            // 统一转为小写
            value = value.toLowerCase();
            for (int i = 0; i < xssArr.length; i++) {
                if (value.indexOf(xssArr[i]) > -1) {
                    LOG.info("请注意，存在SQL注入关键词---> {}", xssArr[i]);
                    LOG.info("请注意，值可能存在SQL注入风险!---> {}", value);
                    throw new BadSqlGrammarException("","bad sql"+ value,new SQLException("当前操作存在SQL非法注入"));
                }
            }
        }
        return;
    }


    /**
     * 过滤map的sql注入过滤处理，遇到注入关键字抛异常
     * @param fields
     */
    public static void filterContent(Map fields) {
        Iterator iterator = fields.keySet().iterator();
        while (iterator.hasNext()) {
            String key = iterator.next().toString();
            String value = fields.get(key);
            SqlInjectionUtil.filterContent(key);
            SqlInjectionUtil.filterContent(value);
        }

        return;
    }






    /**
     * 参数校验
     * @param str ep: "or 1=1"
     */
    public static boolean isSqlValid(String str) {
        Matcher matcher = sqlPattern.matcher(str);
        if (matcher.find()) {
            // TODO: 2023/1/4 有可能matcher.group() 没有匹配到内容
            if(StringUtils.isNotBlank(matcher.group())) {
                //获取非法字符：or
                LOG.info("参数存在非法字符，请确认："+matcher.group());
                return false;
            }
        }
        return true;
    }
}