案例引入

現在有這樣一個問題，就是在提交大片文字評論的時候，前臺拿到數據之后給后臺發送ajax請求，然后后臺有一個防止SQL注入的Filter，這個Filter得到這個前臺傳過來的數據之后，進行合法性校驗，如果沒有校驗成功，那么要跳轉到error.jsp頁面進行顯示錯誤信息。現在讓我們看看怎么實現這個需求。

思路一：請求轉發實現

ajax請求

$.ajax({method:'post',url:'servlet/DemoServlet',dataType:'json',data:{'userName':userName,'passWord':passWord,'text': text},success:function(data){//成功之后的邏輯},error:function(){//錯誤之后的邏輯}});

防止SQL注入Filter

package com.yiyexiaoyuan.filter;import java.io.IOException;import java.util.Enumeration;import javax.security.auth.message.callback.PrivateKeyCallback.Request;import javax.servlet.Filter;import javax.servlet.FilterChain;import javax.servlet.FilterConfig;import javax.servlet.ServletException;import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import net.sf.json.JSONObject;//過濾sql關鍵字的Filter public class SQLFilter implements Filter{public void doFilter(ServletRequest request, ServletResponse response,FilterChain chain) throws IOException, ServletException{HttpServletRequest req = (HttpServletRequest) request;HttpServletResponse res = (HttpServletResponse) response;// 獲得所有請求參數名Enumeration params = req.getParameterNames();String sql = "";while (params.hasMoreElements()){// 得到參數名String name = params.nextElement().toString();// System.out.println("name===========================" + name +// "--");// 得到參數對應值String[] value = req.getParameterValues(name);for (int i = 0; i < value.length; i++){sql = sql + value[i];} }System.out.println("提交方式:"+req.getMethod());System.out.println("被匹配字符串：" + sql);if (sqlValidate(sql)){//請求轉發req.getRequestDispatcher("error.jsp").forward(req, res); }else{String request_uri = req.getRequestURI(); chain.doFilter(request, response);}}// 校驗protected static boolean sqlValidate(String str){str = str.toLowerCase();// 統一轉為小寫// String badStr = "and|exec";String badStr = "'|and|exec|execute|insert|select|delete|update|count|drop|chr|mid|master|truncate|char|declare|sitename|net user|xp_cmdshell|or|like|;|--|+|,|*|/";/** String badStr =* "'|and|exec|execute|insert|create|drop|table|from|grant|use|group_concat|column_name|"* +* "information_schema.columns|table_schema|union|where|select|delete|update|order|by|count|*|"* + "chr|mid|master|truncate|char|declare|or|;|-|--|+|,|like|//|/|%|#";*/// 過濾掉的sql關鍵字，可以手動添加String[] badStrs = badStr.split("http://|");for (int i = 0; i < badStrs.length; i++){if (str.indexOf(badStrs[i]) != -1){System.out.println("匹配到：" + badStrs[i]);return true;}}return false;}public void init(FilterConfig filterConfig) throws ServletException{// throw new UnsupportedOperationException("Not supported yet.");}public void destroy(){// throw new UnsupportedOperationException("Not supported yet.");}}