spring3.0 MVC初步5-利用拦截器防止SQL注入
一、定义拦截器类实现HandlerInterceptor接口
public class SqlInjectIntercepter implements HandlerInterceptor {
@Override
public void afterCompletion(HttpServletRequest arg0,
HttpServletResponse arg1, Object arg2, Exception arg3)
throws Exception {
}
@Override
public void postHandle(HttpServletRequest arg0, HttpServletResponse arg1,
Object arg2, ModelAndView arg3) throws Exception {
}
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response,
Object arg2) throws Exception {
Enumeration<String> names = request.getParameterNames();
while (names.hasMoreElements()) {
String name = names.nextElement();
String[] values = request.getParameterValues(name);
for (int i = 0; i < values.length; i++) {
if(Utility.hasAttackStr(values[i])){
if(!(values[i].equals("DELETE") && name.equals("_method")) ){
response.setContentType("text/html;charset=utf-8");
response.getWriter().print("请不要尝试注入<br><a href='#' onclick='history.go(-1)'>返回</a>");
return false;
}
}
}
}
return true;
}
}
二、配置拦截器
<mvc:interceptors>
<!-- mvc:interceptor>
<mvc:mapping path="/**"/ -->
<bean class="com.tdrc.common.controller.SqlInjectIntercepter"/>
<!-- /mvc:interceptor-->
</mvc:interceptors>
注意要写在<mvc:annotation-driven/>后面,否则拦截器不起作用。
