1、Java防SQL注入，最簡(jiǎn)單的辦法是杜絕SQL拼接，SQL注入攻擊能得逞是因?yàn)樵谠蠸QL語(yǔ)句中加入了新的邏輯，如果使用PreparedStatement來(lái)代替Statement來(lái)執(zhí)行SQL語(yǔ)句，其后只是輸入?yún)?shù)，SQL注入攻擊手段將無(wú)效，這是因?yàn)镻reparedStatement不允許在不同的插入時(shí)間改變查詢的邏輯結(jié)構(gòu)，大部分的SQL注入已經(jīng)擋住了，在WEB層我們可以過(guò)濾用戶的輸入來(lái)防止SQL注入比如用Filter來(lái)過(guò)濾全局的表單參數(shù)。import java.io.IOException;import java.util.Iterator;import javax.servlet.Filte

2、r;import javax.servlet.FilterChain;import javax.servlet.FilterConfig;import javax.servlet.ServletException;import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;/* 通過(guò)Filter過(guò)濾器來(lái)防SQL注入攻擊*/publ

3、ic class SQLFilter implements Filter private String inj_str =|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare|; |or|-|+|,; protected FilterConfig filterConfig = null;/* Should a character encoding specified by the client be ignored?*/protected boolean ignore = tru

4、e;public void init(FilterConfig config) throws ServletException this.filterConfig = config;this.inj_str = filterConfig.getInitParameter(keywords);public void doFilter(ServletRequest request, ServletResponse response,FilterChain chain) throws IOException, ServletException HttpServletRequest req = (Ht

5、tpServletRequest)request;動(dòng)力節(jié)點(diǎn)HttpServletResponse res = (HttpServletResponse)response;Iterator values = req.getParameterMap().values().iterator();/獲取所有的表單參數(shù) while(values.hasNext()String value = (String)values.next();for(int i = 0;i value.length;i+)if(sql_inj(valuei)/TODO這里發(fā)現(xiàn)sql注入代碼的業(yè)務(wù)邏輯代碼return;chain.doFilter(request, response);public boolean sql_inj(String str)String inj_stra=inj_str.split(|);for (int i=0 ; i =0)return true;return false;也可以單獨(dú)在需要防范SQL注入的JavaBean的字段上過(guò)濾：/* 防止sql注入* param sql* return*/動(dòng)力節(jié)點(diǎn)public s