/**
|
* Copyright (c) 2016-2019 人人开源 All rights reserved.
|
*
|
* https://www.renren.io
|
*
|
* 版权所有,侵权必究!
|
*/
|
|
package com.yb.config;
|
|
import org.apache.commons.lang.StringUtils;
|
|
/**
|
* SQL过滤
|
*
|
* @author Mark sunlightcs@gmail.com
|
*/
|
public class SQLFilter {
|
|
/**
|
* SQL注入过滤
|
* @param str 待验证的字符串
|
*/
|
public static String sqlInject(String str) throws Exception {
|
if(StringUtils.isBlank(str)){
|
return null;
|
}
|
//去掉'|"|;|\字符
|
str = StringUtils.replace(str, "'", "");
|
str = StringUtils.replace(str, "\"", "");
|
str = StringUtils.replace(str, ";", "");
|
str = StringUtils.replace(str, "\\", "");
|
|
//转换成小写
|
str = str.toLowerCase();
|
|
//非法字符
|
String[] keywords = {"master", "truncate", "insert", "select", "delete", "update", "declare", "alter", "drop"};
|
|
//判断是否包含非法字符
|
for(String keyword : keywords){
|
if(str.indexOf(keyword) != -1){
|
throw new Exception("包含非法字符");
|
}
|
}
|
|
return str;
|
}
|
}
|
