web.xml? 中配置如下
<filter-mapping>
??<filter-name>SQLFilter</filter-name>
??<url-pattern>*.shtml</url-pattern>
?</filter-mapping>
?
<filter>
??<filter-name>SQLFilter</filter-name>
??<filter-class>com.zte.frame.filter.SQLFilter</filter-class>
??<init-param>
???<param-name>keywords</param-name>
???<param-value>'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare|;|or|-|+|,|--</param-value>
??</init-param>
?</filter>
?
--后台代码如下:
public void doFilter(ServletRequest request, ServletResponse response,
??FilterChain chain) throws IOException, ServletException {
??HttpServletRequest req = (HttpServletRequest)request;
??HttpServletResponse res = (HttpServletResponse)response;
??Iterator values = req.getParameterMap().values().iterator();//获取所有的表单参数
??while(values.hasNext()){
???String[] value = (String[])values.next();
???for(int i = 0;i < value.length;i++){
????if(sql_inj(value[i])){
?????//TODO这里发现sql注入代码的业务逻辑代码
?????log.info("------------参数中包含非法字符----'" +value[i]+ "'----------");
?????PrintWriter out = res.getWriter();
?????out.print("<Script Language='javascript'>alert('参数中包含非法字符!');</Script>");
?????out.close();
?????return ;
????}
???}?
??}
??chain.doFilter(request, response);
?}