溫馨提示×

url存在sql注入漏洞如何解決

小新
470
2021-01-27 16:24:29
欄目: 云計算

url存在sql注入漏洞如何解決

url存在sql注入漏洞的解決方法:

使用攔截器進行對request的host進行了驗證,例如:

package com.XXX.interceptoer;

import com.jfinal.aop.Interceptor;

import com.jfinal.aop.Invocation;

import javax.servlet.http.HttpSession;

import java.io.IOException;

import java.util.ArrayList;

import java.util.List;

/**

* 未登錄用戶攔截

*/

public class AuthInterceptor implements Interceptor {

@Override

public void intercept(Invocation invocation) {

// 頭攻擊檢測

String requestHost = invocation.getController().getRequest().getHeader("host");

HttpServletResponse response = invocation.getController().getResponse();

response.addHeader("Set-Cookie", " Path=/; HttpOnly"); //Cookie 缺少 HttpOnly屬性

response.addHeader("X-Frame-Options", "SAMEORIGIN"); //防止 x-frame-options 缺失

if (requestHost != null && !isWhite(requestHost)) {

response.setStatus(403);

return;

}else {

HttpSession session = invocation.getController().getSession();

String url = invocation.getController().getRequest().getRequestURI();

if (session.getAttribute("user") != null || checkUrl(url)) {

if (url.endsWith("/") && session.getAttribute("user") != null) {

try {

invocation.getController().getResponse().sendRedirect("/admin");

} catch (IOException e) {

e.printStackTrace();

}

} else

invocation.invoke();

} else {

try {

invocation.getController().getResponse().sendRedirect("/");

} catch (IOException e) {

e.printStackTrace();

}

}

}

}

private boolean checkUrl(String url) {

return "/".equals(url)

|| url.contains("/XXX/XXX");

}

/**

* 是否在白名單內

* @param host

* @return

*/

private boolean isWhite(String host) {

List whiteList = new ArrayList();

whiteList.add("localhost:8088");

whiteList.add("127.0.0.1:8088");

for (String str : whiteList) {

if (str != null && str.equals(host)) {

return true;

}

}

return false;

}

}

0
亚洲午夜精品一区二区_中文无码日韩欧免_久久香蕉精品视频_欧美主播一区二区三区美女