温馨提示×

url存在sql注入漏洞如何解决

小新
439
2021-01-27 16:24:29
栏目: 云计算

url存在sql注入漏洞如何解决

url存在sql注入漏洞的解决方法:

使用拦截器进行对request的host进行了验证,例如:

package com.XXX.interceptoer;

import com.jfinal.aop.Interceptor;

import com.jfinal.aop.Invocation;

import javax.servlet.http.HttpSession;

import java.io.IOException;

import java.util.ArrayList;

import java.util.List;

/**

* 未登录用户拦截

*/

public class AuthInterceptor implements Interceptor {

@Override

public void intercept(Invocation invocation) {

// 头攻击检测

String requestHost = invocation.getController().getRequest().getHeader("host");

HttpServletResponse response = invocation.getController().getResponse();

response.addHeader("Set-Cookie", " Path=/; HttpOnly"); //Cookie 缺少 HttpOnly属性

response.addHeader("X-Frame-Options", "SAMEORIGIN"); //防止 x-frame-options 缺失

if (requestHost != null && !isWhite(requestHost)) {

response.setStatus(403);

return;

}else {

HttpSession session = invocation.getController().getSession();

String url = invocation.getController().getRequest().getRequestURI();

if (session.getAttribute("user") != null || checkUrl(url)) {

if (url.endsWith("/") && session.getAttribute("user") != null) {

try {

invocation.getController().getResponse().sendRedirect("/admin");

} catch (IOException e) {

e.printStackTrace();

}

} else

invocation.invoke();

} else {

try {

invocation.getController().getResponse().sendRedirect("/");

} catch (IOException e) {

e.printStackTrace();

}

}

}

}

private boolean checkUrl(String url) {

return "/".equals(url)

|| url.contains("/XXX/XXX");

}

/**

* 是否在白名单内

* @param host

* @return

*/

private boolean isWhite(String host) {

List whiteList = new ArrayList();

whiteList.add("localhost:8088");

whiteList.add("127.0.0.1:8088");

for (String str : whiteList) {

if (str != null && str.equals(host)) {

return true;

}

}

return false;

}

}

0